The anonymous image board 4chan has survived years of controversy. It weathered user and advertiser boycotts as well as damning accusations that it incubated hate speech that may have fueled mass shootings. Users have convened on 4chan to plan hacks like DDoS attacks, and conspiracy theories that festered on 4chan even reportedly inspired the January 6 insurrection at the United States Capitol. On Monday night and Tuesday, though, the platform faced its latest test after a series of outages led to speculation that the site had been hacked.
The core feature 4chan provides is public anonymity to post text and images, but the platform itself does collect information about users, such as their IP addresses. As a result, a breach of the website could represent a significant exposure of data that was intended to be private.
“4chan is an anonymous message board that enables often offensive and hateful content. The content leaked, if genuine, would remove some of the anonymity from 4chan administrators, moderators, and janitors,” says Ian Gray, director of analysis and research at the security firm Flashpoint. The image board’s billing as an “anonymous” platform may have given users a “false sense of security,” Gray says. “Some users may have registered their email addresses years ago when they were less aware or concerned about their operational security.”
Reports about the apparent hack began circulating after a previously banned board on 4chan briefly appeared online and the site was defaced with a message saying, “U GOT HACKED XD.” Subsequently, an online account on a rival forum known as Soyjak.party posted screenshots allegedly showing 4chan’s backend systems, plus a list of alleged 4chan administrator and moderator usernames, with associated email addresses. Following this post of 4chan administrator email addresses, Soyjak.party users started posting alleged doxes, including photos and personal information, of the accounts included in the leak.
WIRED has not been able to confirm whether the data is legitimate. A press email address associated with 4chan as well as two alleged administrator emails from the leaked data did not immediately respond to WIRED’s requests for comment on the hack and its validity. One of the site’s moderators said they believed the hack and leaks were real, according to a report by TechCrunch.
Rumors also started circulating on Tuesday that the breach is the result of 4chan running legacy, unpatched software that exposed the platform to attack. After a breach a decade ago, 4chan founder Christopher Poole, known online as “moot,” wrote in a blog post, “[We] have spent—and will continue to spend—dozens of hours poring over our software and systems to help mitigate and prevent future intrusions. We’re sorry it happened, and will do our best to ensure it doesn’t happen again.”
Emiliano De Cristofaro, a computer science and engineering professor at UC Riverside, who has researched the impact of 4chan on the web, says the ramifications could be large if the hack is confirmed.
“It seems true that 4chan hasn’t been properly maintained and patched for years, which might indicate that a hack would have definitely been a possibility,” De Cristofaro says. “There might be some ‘high profile’ users exposed as moderators—traditionally, 4chan users hate them, so they might be targeted. It might be hard or at least painfully slow and costly for 4chan to recover from this, so we might really see the end of 4chan as we know it.”
