4chan admits it suffered hack attack

4chanThe 4chan image messageboard, beloved by anonymous internet pranksters and trolls, has admitted that it suffered a security breach last week that saw a hacker gain unauthorised access to user information.

The attack – which is said to have taken place last week – was seemingly personally motivated, according to a blog post (quietly entitled “Concerning a recent intrusion”, presumably in an attempt to not draw too much attention to itself) by the 4chan’s founder “moot”:

Last week we were made aware of a software vulnerability that allowed an intruder access to administrative functions and information from one of our databases. The intruder later stated their motive was to expose the posting habits of a specific user they disliked.

After careful review, we believe the intrusion was limited to imageboard moderation panels, our reports queue, and some tables in our backend database. Due to the way the intruder extracted information from the database, we have detailed logs of what was accessed. The logs indicate that primarily moderator account names and credentials were targeted.

Sign up to our free newsletter.
Security news, advice, and tips.

Three 4chan Pass users had their Pass credentials accessed, and were notified and offered refunds and lifetime Passes shortly after the discovery. As a reminder, all payment information is processed securely by Stripe—we never see nor store any of it, and thus no payment information was compromised.

4chan says it has now patched the security hole to prevent further exploitation of the flaw to gain unauthorised access and exfiltrate data.

Interestingly, although 4chan’s blog post doesn’t mention it, there may have been a more underlying security problem with the site.

Softpedia reports that there were claims posted on the site last week that the hacker wanted to shine light on “multiple abuses of power and violations of proper mod stewardship.”

According to that report, the hacker had unauthorised access to 4chan’s internal systems for a week, and exposed 12,000 users passes – which are sold by the site to allow posters to avoid irritating CAPTCHAs when posting.

Considering the kind of content which frequently gets posted on 4chan, it’s understandable if regular anonymous users were nervous about their personal details being put at risk.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “4chan admits it suffered hack attack”

  1. NiNE

    So "…unauthorised access to user information…" given this and given the fact that everyone on 4chan is anonymous, what sort of user information can there possibly be..?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.