4chan Has Been Down Since Monday Night After 'Pretty Comprehensive Own'

4chan was reportedly hacked Monday night, with rival imageboard Soyjack Party claiming responsibility and sharing screenshots suggesting deep access to 4chan's databases and admin tools. Ars Technica reports: Security researcher Kevin Beaumont described the hack as "a pretty comprehensive own" that included "SQL databases, source, and shell access." 404Media reports that the site used an outdated version of PHP that could have been used to gain access, including the phpMyAdmin tool, a common attack vector that is frequently patched for security vulnerabilities. Ars staffers pointed to the presence of long-deprecated and removed functions like mysql_real_escape_string in the screenshots as possible signs of an old, unpatched PHP version. In other words, there's a possibility that the hackers have gained pretty deep access to all of 4chan's data, including site source code and user data.

Stopped updating in 2016

[jhoegl]

"own" is more of... they left it to fend for itself.

Re:

[laxguy]

you mean to tell me moot left us hanging?!

Re:

[Bert64]

TLSv1.2 has been around since 2008 so most likely they do.
If they haven't updated since 2016 then they won't have TLSv1.3 which has been the standard since 2018.

Re:Stopped updating in 2016

[PPH]

Nah. They've been working on it actively. Trying to mine users information (it was supposed to be an anonymous board) for marketing purposes. "Either put up with a 15 minute delay to post or verify your e-mail address with us."

And they had ClownFlare working with them. To make sure everyone had JavaScript turned on. So their scammy banner ads would work.

Re:

[Anonymous Coward]

The 15 minute delay is if you don't have the cookie that indicates recent activity. They had too much trouble with bot posters that would post for the "first time". The side-effect is if you don't use a particular computer to post for a few days, the cookie expires and you have to go through the 15 minute delay again. And there are other ways to get around the ads. Slashdot made a change to ad blocking a few months ago that's much more annoying than what 4chan does.

Re:

[allo]

Account with E-Mail or a cookie that is weeks old doesn't matter, you can be tracked over these weeks using the cookie.

Re:

[Pinky's Brain]

Which is worth 5 cents total to marketers.

Re:

[Ickyban]

Why would they stop updating? Seems completely illogical.

Re:

[HotNeedleOfInquiry]

Nothing of value was lost...

Actual Attack Vector

[Hudson9]

"Contrary to popular belief, it was not SQL injection.
The exploit is such:
4chan allows uploading PDF to certain boards (/gd/, /po/, /qst/, /sci/, /tg/)
They neglected to verify that the uploaded file is actually a PDF file. As such, PostScript files, containing PostScript drawing
commands, can be uploaded.
Said PostScript file will be passed into Ghostscript to generate a thumbnail image.
The version of Ghostscript that 4chan uses is from 2012, so it is trivial to exploit.
From there, we exploit a mistaken suid binary to elevate to the global user."

Re:

[parityshrimp]

It started at -1; OP apparently spends most of their time being a troll.

Exactly the kind of poster most likely to be informed about the topic at hand.

Re:

[Hudson9]

It's been dead since around 30 min after the sharty poster gained complete control, the homepage may still be up but that is hosted separately from the boards. It'll likely take weeks to repair unless they're willing to risk another hack due to not completely patching all the spaghetti code

Re:

[thegarbz]

The site is available (at this moment) so your claim can be tested. I wonder why it's been immediately modded down.

Speaking of testing the claims. The site is *not* available. You may hit the landing page 4chan.org, but if you navigate to any board you'll get a Connection Timed Out error. It's been like this since before this story was published yesterday, and it's like this now.

The only person here who deserves a downmodding is you.

Re:

[Lehk228]

4chan being hacked with a .pdf file is kinda hilarious.

Re:

[CEC-P]

A bunch of their users are PDF files too so maybe they just expanded the definition and let anything go.

And they rejoiced

[TheMiddleRoad]

I've never seen such an uplifting post on /.

Too bad 4Chan went down after their members took over the US government.

Re:

[drinkypoo]

We'll see when the list of email addresses is scrutinized...

Re: Oh no!

[viperidaenz]

My guess would be try to link email addresses to public figures and try to blackmail them with the threat of releasing all of their posts

Hey there mr politician, I see you post some pretty racist stuff on 4chan, would be a shame if it went public in time for the next election

Re:

[phoenix321]

Half their posts came from Israeli IP ranges. So it's the counterpart to the Epstein operation, blackmailing the people who couldn't be blackmailed with Epstein island flights.

4chan, the sphincter of the internet

[spazmonkey]

Historically, if 4chan had an outage for any length of time, the rest of the internet would suffer what was released upon it.
Reasonable forums would be overrun with trolling and shitposting.
No idea if that still holds true, or if 4chan is even still relevant. But it used to do the job of holding in all the excrement and keeping it away from the rest of us.
I am betting that they still don't just stop posting just because 4chan is down. Reddit mods are probably having a very bad day

Re:4chan, the sphincter of the internet

[thegarbz]

Reasonable forums would be overrun with trolling and shitposting.

It's 2025. There's no reasonable discourse left on the internet. You can thank Trump for that, or Biden, or TDS, or the Climate Hoax, or the WuFlu, etc. etc. Honestly 4chan and it's children shouting the N word is child's play. I remember when it was actually newsworthy to see a troll draw a swastika, now you find them everywhere.

I long for the days where 4chan was the worst of humanity on the internet.

Re:

[dfghjk]

And from the article: 'Security researcher Kevin Beaumont described the hack as "a pretty comprehensive own" ...'

Even alleged professionals speak like 13 year olds, because that's who they are. No self-respecting person would say this professionally, a teenage would.

The internet glorifies people with who are emotionally stunted, that's why we have the president we have.

Re:

[AmiMoJo]

There could be consequences for some of the 4chan users. There are many .edu email addresses belonging to moderators, which include their full names.

Re:

[Random361]

There could be consequences for some of the 4chan users. There are many .edu email addresses belonging to moderators, which include their full names.

I'm surprised it wasn't a sport to just sign up the professional email addresses of people you despise. Think of it as a variant of shitposting.

Re:

[Nrrqshrr]

It's a well-known fact that many alphabet soup agency operate on 4chan either to disseminate (dis)information or to watch what the social rejects have to say.
In fact, to not go into graphic details, a certain kind of spam on the political board disappears entirely when major events happen (Russian offensive, the 7th october attack...)
The agents are simply too busy on those days to do their usual spam.

Re:

[drinkypoo]

Historically, if 4chan had an outage for any length of time, the rest of the internet would suffer what was released upon it.
Reasonable forums would be overrun with trolling and shitposting.

Now they can just go to X, which is already overrun with trolling and shitposting, plus all the other kinds of shit which people post on 4chan.

Not PHP

[Kisai]

This isn't a PHP issue, this is literately they "fed stuff to ghostscript via php" thus ghostscript ran postscript code inside the webserver process.

Like on it's face this is a pretty basic, dumb, hack. A properly secured site, regardless of the PHP version would not run "non-php" shell programs. All it would have taken is uploading a PDF file that grabbed a known file (eg index.php) and post it, and then figure out the configuration data from that.

Outdated site software.

[bejiitas_wrath]

The website was running on a version of Freebsd that was severely outdated. Version 10.1. A PDF exploit using Ghostscript allowed running a SUID binary to gain access. There is no excuse for running such an outdated version in 2025 when version 13.5 is out now. This is just laziness.

Re:

[Vlad_the_Inhaler]

Laziness or cluelessness?
The people running this site don't appear to know what they are doing, the ones who did have probably moved on to some role in the new gummint so expect those who are held to be responsible to be deported to El Salvador.

phpmyadmin

[allo]

Seriously, it is like 4 lines of config to put that thing behind http auth and never have a problem with its security vulnerabilities again.
Or use a desktop client for MySQL and don't install anything on your webspace.

I fear the worst

[buchner.johannes]

Potentially, this means the entire 4chan user interaction chain and all posts and their language will be available for download. Then AI researchers will use it to study social networks and language. Then we will get 4chan regurgitated back to us by AI tools.

File under

[Inglix the Mad]

Not a single thing of value of was lost.

I'm half joking.