"4chan user data leak"




Intoduction what is 4chan

First lets start with a few sentences about what is 4chan. 4chan is pseudo-anonymous imageboard website launched in 2003, known for its minimal moderation and illegal and offensive content. It hosts a wide range of boards dedicated to topics like anime, technology, video games, and politics.

How it got hacked

there are few theories on how it got hacked, the main one is “file upload vulnerability” 4chan has around 70-80 boards some of them allow PDF files to be uploaded. It seems like validation was either absent or insufficient for the uploaded file. this allowed an attacker upload other files than PDFs to the server.

This lack/insufficient file upload validation caused a chain of combined attacks that together breached the site. A file upload vulnerability allows you to upload files that shouldn’t be excepted. 4chan used an outdated version of GhostScript (from 2012) that had remote code execution issues. The attacker needed to find that information by guessing or inspecting the response. After he understood that he uploaded a GhostScript file with commands instead of PDF and got some very limited access to the server that wasn’t enough for the attack.

From there, the attacker explored the filesystem and discovered a SUID binary that could be exploited for privilege escalation. SUID (Set User ID) binaries run with the privileges of their owner (typically root) rather than the user executing them, making them a common target for attackers seeking elevated access.

Based on my unverified analysis of the leaked source code , the exploited binary was likely suid_run_global, which accepts user-supplied command-line arguments and passes them to a Perl script located at /www/global/bin/run_global. The Perl script contains a critical command injection vulnerability: it constructs shell commands using unsensitized user input and executes them via Perl's system() function. Because the SUID binary runs as root, any commands injected through this vector also execute with root privileges.

The Perl script also contains code that automatically propagates commands across 4chan's server infrastructure via SSH, potentially explaining how the attackers maintained access across multiple systems. Once the attacker achieved root access, the system was completely compromised, allowing full access to databases, source code, and administrative panels. Once running code with root privileges, the attacker had complete control over the system, allowing them to read sensitive files, source code, and administrative data that were previously inaccessible.

One Year Inside: Timeline of the Infiltration and the Final Operation

Multiple reports confirm that 4chan was quietly infiltrated for over a year before the final operation was triggered. The attackers established persistent access, exfiltrated data in phases, and prepared a public breach under the codename Operation Soyclipse. Admins failed to detect the long-term presence.

April 12-14 Operation Soyclipse officially starts, signs of stress began to surface. unusual server load, minor glitches. These were likely the result of mass data exfiltration in progress. It remains unclear if staff recognized the threat at this stage.

April 14 Admin tools, internal emails, board/chat logs, and full source code are posted on the soyjack party image board. Defacements restore banned boards like /qa/. Front-end outages and Cloudflare errors appear site-wide. The attack is now fully visible. 4chan staff start to notice something’s wrong.

April 15 Admins notice escalating unusual activity (e.g., unauthorized board changes, leaks spreading). They proactively take servers offline around this time (some sources say late April 14, others early 15)

April 16-27 4chan remains down undergoing fixing/patching of their infrastructure. Hiroyuki Nishimura, issued a brief public statement acknowledging the incident and stating they were "investigating and working to secure our systems," but no internal staff memos were referenced. On April 27 4chan returns online with patches: PDF uploads disabled, servers replaced, outdated software updated, and some boards removed.

What was leaked

Approximately 120 GB of internal data was exfiltrated and leaked, primarily posted on Soyjak[.]party and circulated elsewhere online. The primary leak consisted of staff email addresses, approximately 218 moderators, administrators, and janitors. Later a huge JSON file containing staff emails with their linked breaches and sources (from other websites) was circulating online, each leak source had username and hashed password included and more data sometimes such as phone numbers real names last login IP address. Seems like after the emails were published, people began extracting leaked data tied to those addresses, one old staff account was linked to nearly 60 breaches. Critically, current administrators had failed to remove or deactivate accounts belonging to former staff members.

This exposure represented a major blow to the site's anonymity for its operators.

Investigations, Leads, and Suspects

As of now, there's no public record of major investigations by agencies like the FBI, Interpol, or cybersecurity firms beyond initial analyses. 4chan's owner, Hiroyuki Nishimura, acknowledged the breach but focused on internal fixes (e.g., server replacements) rather than pursuing legal action possibly due to the site's controversial content making cooperation tricky. The breach's low financial impact (no ransomware, just data dumps) and 4chan's edgy reputation may have deprioritized it for authorities. However, the breach has been overwhelmingly attributed to users from the rival imageboard Soyjak party

Verdict

maintain and update your systems today or do it tomorrow at a very costly price. this critical mistake ends up turning a petty rivalry into a digital reckoning that doxxed volunteers, eroded trust, and forced a costly rebuild.




Signed, 24 Oct 2025
Nathan