The 4chan image messageboard, beloved by anonymous internet pranksters and trolls, has admitted that it suffered a security breach last week that saw a hacker gain unauthorised access to user information.
The attack – which is said to have taken place last week – was seemingly personally motivated, according to a blog post (quietly entitled “Concerning a recent intrusion”, presumably in an attempt to not draw too much attention to itself) by the 4chan’s founder “moot”:
Last week we were made aware of a software vulnerability that allowed an intruder access to administrative functions and information from one of our databases. The intruder later stated their motive was to expose the posting habits of a specific user they disliked.
After careful review, we believe the intrusion was limited to imageboard moderation panels, our reports queue, and some tables in our backend database. Due to the way the intruder extracted information from the database, we have detailed logs of what was accessed. The logs indicate that primarily moderator account names and credentials were targeted.
Three 4chan Pass users had their Pass credentials accessed, and were notified and offered refunds and lifetime Passes shortly after the discovery. As a reminder, all payment information is processed securely by Stripe—we never see nor store any of it, and thus no payment information was compromised.
4chan says it has now patched the security hole to prevent further exploitation of the flaw to gain unauthorised access and exfiltrate data.
Interestingly, although 4chan’s blog post doesn’t mention it, there may have been a more underlying security problem with the site.
Softpedia reports that there were claims posted on the site last week that the hacker wanted to shine light on “multiple abuses of power and violations of proper mod stewardship.”
According to that report, the hacker had unauthorised access to 4chan’s internal systems for a week, and exposed 12,000 users passes – which are sold by the site to allow posters to avoid irritating CAPTCHAs when posting.
Considering the kind of content which frequently gets posted on 4chan, it’s understandable if regular anonymous users were nervous about their personal details being put at risk.