Last week we were made aware of a software vulnerability that allowed an intruder access to administrative functions and information from one of our databases. The intruder later stated their motive was to expose the posting habits of a specific user they disliked.
After careful review, we believe the intrusion was limited to imageboard moderation panels, our reports queue, and some tables in our backend database. Due to the way the intruder extracted information from the database, we have detailed logs of what was accessed. The logs indicate that primarily moderator account names and credentials were targeted.
Three 4chan Pass users had their Pass credentials accessed, and were notified and offered refunds and lifetime Passes shortly after the discovery. As a reminder, all payment information is processed securely by Stripe—we never see nor store any of it, and thus no payment information was compromised.
We patched the vulnerability quickly after it came to our attention, and have spent—and will continue to spend—dozens of hours poring over our software and systems to help mitigate and prevent future intrusions.
We’re sorry it happened, and will do our best to ensure it doesn’t happen again.