Some soyjak party anon broke into 4chan after 4 years of work and dumped the source code + db with users and hashed passwords.
/ISG/ is currently talking about it.
There's a very active thread about this on kiwifarms
https://kiwifarms.st/threads/4chan.37222/page-475#post-21102680And dev on twitter is doing some analysis on the code.
https://x.com/_yushe/status/1912041750085984276https://x.com/_yushe/status/1911976973800272108https://x.com/_yushe/status/1912025058953867353https://x.com/_yushe/status/1912034013117554910https://x.com/_yushe/status/1912035368347508783Apparently 4cins is running on a 10 EOL'd FreeBSD on php 5 (amazing that it took 4 years of work to the soyjak hacker and not just 30 minutes)
Here for the archive with the source:
https://litter.catbox.moe/a8z45n.7z + zip attacment
Hilarious.
cool
>>29007and where exactly would you code a token? in a separate text file which would also be present in the leak?
>>29011Usually env variables of some sort. there are also secret engines, etc.
>>29011some people store them on supabase vault or like the other anon said, on an .env file that is ignored by git
>10 year old freeBSD install
Schizos btfo there was no glowie infiltration of 4chan. Moot just stepped out for a cigarette ten years ago and nobody has updated the site since.
>>29015This shocked me. I knew they were incompetent but not that they were this incompetent.
>>29011>and where exactly would you code a token?Bruh.
https://wiki.soyjak.st/Great_CucksetThe Great Cuckset (also known as the Liberation of /qa/ and The 'Ack) refers to an event that started on April 14th, 2025 (or April 15 depending on your time zone, it happened at midnight for AmeriGODS), where someone who later named himself S0I1337 (also known as Captain Gem) would hack into 4cuck and reopen /qa/[1], leak the source code as well as the jannies' IPs, emails and hidden board. A thread was stickied on /soy/ regarding this event.[2]
According to S0I1337, it was done by exploiting a vulnerability on 4chan's outdated GhostScript version from 2012 by uploading a malformed PostScript file renamed to PDF to gain arbitrary code execution as 4chan didn't check if files with PDF extensions were actually PDF files, and not through social engineering, betrayal or SQL injection. It was also revealed that 4chan ran on FreeBSD 10.1, which went end-of-life in 2017[3], outdated versions of nginx, PHP and MySQL and its source code was riddled with vulnerabilities; basically it was just waiting to be exploited. The servers were physically shut down to prevent further mining of the databases after a few minutes, although it's unknown at the moment how much was successfully downloaded from 4cuck's servers.
The hacker successfully leaked:
4chan's source code, including a 10,403 line php file called imgboard.php, all of which can be found here -
https://files.catbox.moe/d56ws8.7zAll of 4chan's /j/ board here
https://files.catbox.moe/czivhs.7z , with an easy-to-access archive here
https://bvll.neocities.org/j/ .
All recent staff IPs here
https://files.catbox.moe/57t745.txt .
A list of jannies and their emails here
https://files.catbox.moe/ys4s5k.txt , along with their passwords in the form of APR1 (MD5) hashes here
https://files.catbox.moe/639lxc.txt .
The janny irc here
https://files.catbox.moe/93d0r8.rar .
The names and emails of everyone who contributed to the Yotsuba git repo here
https://files.catbox.moe/yypkoa.txt .
Every 4cuck user's clitty.
What the fuck is /qa/ and how did they "win" or get "liberated"?
Is that what it was all about? Butthurt over /qa/ getting shut down?
we have a thread called /isg/ for this kinda stuff
>>29033/qa/ was basically the epicenter of soyjaks and the whole culture surrounding them, they got kicked off and for years this fueled a resentment of 4chan that lead to a hacking
>>29035>the cancer killing 4chan>actually killed 4chanDamn, I think we should warn our mods.
thats what you get for making ppl wait 15mins to post
>>29035We got kicked off after we raided the gay board due to jannies blocking people for wrongthunk regarding Israel.
>>29032Why are you using that stupid fucking frog then?
q or a stand for? What was the board?
>>2226320
That 'fren' shit is 4chan shit. Are you shitting on 4chan or are you one of them? Why do you post the frog? That's for angry manchild incels.
sick even doe i hate sharteens and i hated /qa/
>>29044The frog is timeless and stands above any and all moral connotations. Fuck 4chan but fuck you frog hating faggos more.
once again no one ever tried, they thought it was too big and mustve been protected
>>29062no one could be bothered
Scarcely a juicy target, now is it?
pdf files will hang
>>29062The site has been ungodly shit for years. Hope it stays dead
Somethign I don't understand about why every one is freaking out is the source code being leaked isnt that big of a deal.
Google and read Vichan's code. It's been out for a while.
The only major revelation here is the mod/jannie dox. Thats about it.
4chan will be back up in a day or so probably, depending on how responsive who ever is the real admin these days is.
The mods will have their lives ruined probably.
>>290694chan source code? we could make our own chans?
considering its been exposed as a lump coprolite im not sure why anyone would really bother as you'd have to completely update it first.
>>29070You always could.
Litterally google my man.
A thought just occorued to me.
It seems, the admin/owner is super hands off or entierly disconnected from anythign on the site. The mods/jannies are all volunteers with a few paid ones. Obviously none of them know how to run a site or code.
The ownership has changed hands a few times over the years.
What if who ever own the site currently has no idea how to log into the box or where the box even is any more that the site even runs one. That would be the ultimate irony.
The owner of the worlds most popular website had locked them selves out since 2012 and never told any one.
How hard is it to sudo dnf update every once and a while?
>>29069It won't be the same, and no one will ever trust giving emails or waiting 900 seconds to make a post just so the chink can keep collecting 4chan passes
there's no way they have a backups either or any systems in place to fix the structural issues that have been neglected for over a decade, its and it'll be dead on the water for anyone trying to bring it back.
I wonder if anyone did but they just used it under the radar.
I wonder what other site will be used to spread far right propaganda
>>29077Your email is safe…
Ah, I wish I was in the official discord or irc. I wonder how panicked and doomer they are right now.
Also it was hacked by a bunch of chuddy European teens
>>29074What’s the difference between a mod and a janny? I know both are volunteer so it can’t be that mods get paid, right?
>>29077I hate how computer illiterate everyone is.
>>29084Janitors can delete posts and submit bans. Mods approve bans and can do fancy stuff like lock or move threads.
>>29080Twitter, but it feels like Elon always has a good reason to bail on that, so it's more anomalous that twitter persists than doesn't.
It'd be funny if Truth Social ended up getting too big to moderate.
>>29087I considered applying for janitor a few times but always decided against it since it would mean having to sit in a Discord and get to know people and that all seemed cliquey and annoying. I was right haha. I wonder how many janitors will be scared off. They'll have to recruit new ones when the site comes back up.
4chan's moderation/site management is deeply flawed for both its opaqueness and its refusal to proactively improve the site. Mods and janitors weren't your fellow poster, they were an infallible invisible force. That's why janny hate was so prevalent.
>>29089Yeah that would bore me to tears and I spend enough time on the internetz. Plus too much responsibility for such low reward.
>>29091If I recall tho the “no racism outside of /b/“ rule was NEVER enforced. For example I went to /x/ trying to find creepypastas and shit and it was all just new-age flavored racist conspiracies and just as many slurs as the containment boards. Even the hobby boards had it.
>>29092I wouldn't say it was unenforced, more that the post had to be pretty much nothing but the racism. Like "Your opinion is wrong for x y z reasons you stupid slur" never gets banned, but "kys you gorilla slur" would be consistently when reported.
Loads of rules were just inconsistently enforced, that was one of the big problems and it wasn't just racism. You could call someone or just "uyghur" in one thread and get away with it, and then use it in a thread on another board and cop a three day, depends if it was reported, seen by a mod or who that jannie or mod was and how thin skinned they were.
Apparently there was a post of KF or sharty giving a rundown on the mods and which boards they moderated, with some boards just completely unmoded or having like one.
I was looking at the jannie list as I suspect that there was one that actively used a general I posted in, who when annoyed would report people. There seemed to be a mod of sp who would continually auto-sage /cric/, /afl/ and /nrl/ threads as well, for any actually rule violation, for personal grievances or just to fuck with people? who knows.
>>29094sage-ing is when you set your reply so it doesn’t bump the thread, right?
>>29095Bruh look at what moot making sage invisible caused. But yes.
>>29096What’s the issue with bumping threads? Why is that such a big deal? Like if one thread is too popular it becomes annoying for other users to see different threads? Just curious.
>>29097sage was born on 2ch to intentionally keep threads hidden in the thread list (similar to an imageboard's catalog) so trolls lurking the front page wouldn't find them. Kind of lost much of its purpose when Futaba came to be and introduced pagination but it still exists to make a post without bumping a thread.
>>29098Ah, gotcha. It’s a HUGE deal on lolcow farm, btw. Every other post is someone bitching about it.
>>29092I got hit with it a few times for insulting crackkkas.
>>29100Yeah the chuds always get real butthurt about that
>>29069It's not about the unsavory elements found within it (like all the tracking and shadowban mechanisms), but security vulnerabilities. And you don't seem to know the differences between closed and open source code when it comes to vulnerabilities.
In open source projects (like Vichan), vulnerabilities are rarer because there's more eyes on the code which means they're more likely to get spotted and fixed, oftentimes very quickly by the person who noticed it.
This sounds counterintuitive since a malicious actor can potentially spot a vulnerability before anyone else and exploit it, but in practice this rarely happens because vulnerabilities get routinely fixed at a very good rate.
Closed source (like 4chan), though, has more vulnerabilities for two reasons:
>less people looking and checking the code means they're more likely to go undetected>increased sloppiness by the coders since the code is only available to select groups that arent malicious, thus they dont see a reason to write better codeClosed source has both a high rate of vulnerability creation AND a low rate of vulnerability fixing. This mean vulnerabilities
accumulate over time. A closed source code being leaked is a disaster because now you've got the threat of malicious actors looking at it while the source code itself is riddled with orders of magnitude more vulnerabilities than open source. This makes the probability of a malicious actor discovering a vulnerability near-guaranteed (and indeed, people have already discovered various problems with 4chan's leaked code that aren't the PDF file vulnerability that the hacker used).
So, will 4chan take legal action against the hackers in the future?
>>29102Vichan is based off of a previous release of 4chan code
>>29076Software was too old, they stopped updating it years ago
>>29102There's more pressure to write good code in open source because otherwise the first hacker to come around would break your ass in a day, while with proprietary stuff programmers like to think that nobody will be able to spot their slop.
Also, peer pressure.
>>29104Nope, it's based of Tinyboard, which is a clone of 4chan, but doesn't share a single line of code (unless 4chan copied something over the years lol)
>>29126Welcome to the post-2016 landscape, I hate it too.
>>29046This whole situation is basically infighting between terminally online chuds, but 4chan has been dead since moot sold it. Even if it comes back, I don't think it'll survive for long.
>Ever wanted to download 4chan?
No.
>>29103That would be a gloriously entertaining shitshow. Please God make it happen and I'll make everyone popcorn.
>>29126The "Why" to everything pertaining to the soyjak scene is simply: It gets attention. Literally the entire point is nothing more than to annoy people and be as odious and trashy as possible.
>>29012not secure if the server is compromised, which is the subject, the rest is gigabloat
>>29019I didn't made that syntax up was just quoting, and if you know then tell
>>29047what do you mean? if you ever had to deal with this you know the question is relevant and not straightforward
>>29141HOOOoo HOOooo CAW XD
>those /pol/ tel aviv ip leaks
kekd
>>29160>since 2014edited
it's 3rd :^)
>>29160isn't the count of flag posts already available in archives? and vpns can allow anyone to fake their country, not sure how this pic mean anything relevant
>>29068started with diarrhea, ended with diarrhea
>>29002>FutanataDear Lord…
>>29160No. This is from the 3rd-parry archive 4plebs, and they classify memeflags as "Israel" in their statistics based on the joke/meme that they're all supposed to be Jewish. It's not literally true.
Pic related is the actual number of Israeli flag posts from the search. Slightly higher than Mexico in that list but not one trillion or whatever.
https://archive.4plebs.org/pol/search/country/IL/ >>29046>Why would other anti-establishment underground anonymous factions be working against each other?As a bored refugee, I think it is kind of hilarious.
>>Are we at risk here?nobody is at risk except those that were stupid enough to give personally identifiable information to the website formally known as the asshole of the internet.
>>Are we next?I assume all chan admins are taking a look at their codebases, but it sure looks like hiro (probably misspelled, but the guy that purchased 4chan from moot), really neglected even basic web practices. Play stupid games, win stupid prizes.
this titty konata was drawn by tf2 youtuber starykrow, for those who want the source
>>29046>Why would other anti-establishment underground anonymous factions be working against each other?Because 'anti-establishment' is a meaningless label.
Unique IPs: 56