Back online after ‘catastrophic’ attack, 4chan says it’s too broke for good IT – Source: go.theregister.com

Clearweb cesspit 4chan is back up and running, but says the damage caused by a cyberattack earlier this month was “catastrophic.”

In a statement released on Saturday, the .org’s official blog site said “a hacker using a UK IP address” was to blame for the intrusion, which led to vast amounts of important data being stolen.

It went on to loosely confirm the rumors that surrounded the initial April 14 incident, which, as The Register reported, was suspected to have been the work of an attacker exploiting a near-decade-old version of PHP.

4chan’s statement did not reference PHP or any specific vulnerability, but provided more details on how the attack unfolded.

“On the afternoon of April 14th, a hacker using a UK IP address exploited an out-of-date software package on one of 4chan’s servers, via a bogus PDF upload,” it said. “With this entry point, they were eventually able to gain access to one of 4chan’s servers, including database access and access to our own administrative dashboard.

“The hacker spent several hours exfiltrating database tables and much of 4chan’s source code. When they had finished downloading what they wanted, they began to vandalize 4chan at which point moderators became aware and 4chan’s servers were halted, preventing further access.”

The website – notorious for turning a blind eye to hate speech, extremism, violence, and leaked nude images – then proceeded to complain about not having enough money to maintain its tech.

It blamed its failure to update its operating systems, code, and infrastructure on “having insufficient skilled man-hours” – a byproduct of “being starved of money for years by advertisers, payment providers, and service providers who had succumbed to external pressure campaigns.”

Efforts to procure new kit began in late 2023, 4chan claimed, and until then the website was running on servers purchased second-hand by founder Christopher Poole before he left in 2015 after 11 years at the helm.

By April 2024, 4chan had agreed the specifications for the servers it needed and began searching for suppliers willing to deal with it, of which there were predictably few.

“Money is always tight for us, and few companies were willing to sell us servers, so actually buying the hardware wasn’t a trivial problem,” it said. “We managed to finalize a purchase in June, and had the new servers racked and online in July.

• 4chan, the ‘internet’s litter box,’ appears to have been pillaged by rival forum
• New York Times source code leaks online via 4chan
• Attempts to demolish guardrails in AI image generators blamed for lewd Taylor Swift deepfakes
• 4chan and other web sewers scraped up into Google’s mega-library for training ML

“Over the next few months we slowly moved functionality onto the new servers, but we had still been relying on the old servers for key functions. Everything about this process took much longer than intended, which is a recurring theme in this debacle. The free time that 4chan’s development team had available to dedicate to 4chan was insufficient to update our software and infrastructure fast enough, and our luck ran out.”

Two weeks after the incident and the website is back up and running, with the breached server replaced and critical software fully updated.

4chan confirmed that PDF uploads have been temporarily disabled and hinting at a potential connection with the PDF attack, the Flash board – a sub-forum dedicated to Flash games – has been shuttered for good “as there is no realistic way to prevent similar exploits using .swf files.”

Still down on its financial luck, the image board is relying on newly recruited volunteer techies to help ease the burden on its back end while remediation and mitigation work continues.

“4chan is back,” its statement concluded. “No other website can replace it, or this community. No matter how hard it is, we are not giving up.” ®