/operate/ - Endchan Hacked

Name
Email
Subject
Comment
Password
Drawing	x size canvas
File(s)	Drag files to upload or click here to select them
Spoiler

Endchan Hacked Anonymous 02/12/2026 (Thu) 09:08 [Preview] No. 29851

Endchan Hacked

Yesterday (2026 February 11) users exploited a bug in the engine and escalated privileges on user accounts. They gained "root" access to the site, getting the highest privilege, which means they could see user's IPs of all the posts, change site settings, lifting range bans, delete threads and posts.
The real problem from the above is the IPs, which could help breaking anonymity of the users.
It seems they had no access to the database so for example they couldn't get to email addresses of registered users. Other than these two types of data, there is not much else to gain.
We found and patched the bug. We are still auditing the logs and the engine, if new information emerges, we'll share it.

Maybe this event means a hit for the site's reputation, but now we can tell that we are on the same level as 4chan. Though at least it is still not 4chan.

No role signo competence is showing.

Edited last time by Shiban on 02/12/2026 (Thu) 09:11.

Anonymous 02/12/2026 (Thu) 09:08 [Preview] No.29852 del

>>29851
My role signature.

Anonymous 02/12/2026 (Thu) 09:09 [Preview] No.29853 del

What the heck.

Anonymous Admin 02/12/2026 (Thu) 09:10 [Preview] No.29854 del

Ah I was logged out.

superhacker 02/12/2026 (Thu) 09:53 [Preview] No.29855 del

I'm the culprit. AMA.

Anonymous Admin 02/12/2026 (Thu) 09:54 [Preview] No.29856 del

>>29851
Two notes:
1. "root" is not the server root. The site engine calls the top role - above the admin - as root. See the Moderation Manual of Endchan. The "root" role allows access to Endchan's moderation pages with Root privileges, which comes with what I wrote in OP.
2. passwords are stored hashed, and similarly to emails that would have needed access to the database itself.

Anonymous 02/12/2026 (Thu) 09:58 [Preview] No.29857 del

>>29855
Which LLM did you use?

superhacker 02/12/2026 (Thu) 10:05 [Preview] No.29858 del

>>29857
ChatGPT.

I noticed new commits for lynxchan and saw that the fork for endchan was last updated in 2020. Gross negligence if I dare say so. If I didn't turn every global volunteer into a "root", they probably wouldn't have noticed it at all lul

Anonymous 02/12/2026 (Thu) 10:05 [Preview] No.29859 del

Monk could have prevented it...

Anonymous 02/12/2026 (Thu) 10:06 [Preview] No.29860 del

>>29858
Monk?

leet hacker 02/12/2026 (Thu) 10:06 [Preview] No.29861 del

>>29855
Your a faggot I dont know you. I did the hack to get the IP's so I can sell the data on the dark web. I can see your IP too and its says you are 100% full of shit.

superhacker 02/12/2026 (Thu) 10:08 [Preview] No.29862 del

>>29861
You got me, I admit defeat

Anonymous 02/12/2026 (Thu) 10:11 [Preview] No.29863 del

>>29861
>I did the hack to get the IP's so I can sell the data on the dark web. I
That's going to bring millions, if not billions! Did you get the public or the private IPs? I heard the private ones are hard to route.

leet hacker 02/12/2026 (Thu) 10:12 [Preview] No.29864 del

Good, go back to 4chan you faker before I destroy your computer, I can do that now that i got root access on your IP.

leet hacker 02/12/2026 (Thu) 10:13 [Preview] No.29865 del

>>29863
I used a reverse proxy AI hack, it was easy.

Anonymous 02/12/2026 (Thu) 10:14 [Preview] No.29866 del

>>29864
I cannot be stopped.

Anonymous 02/12/2026 (Thu) 10:15 [Preview] No.29867 del

>>29865
I'll engine x you!

Anonymous 02/12/2026 (Thu) 10:19 [Preview] No.29868 del

Why are you still running this site you useless retards? 2 years ago you let people upload custom css that could be used to get lurkers ip addresses with ip grabbers and now your entire site got hacked. You're low iq and can't run a site properly and you don't give a shit about your users either. Take down this website if you have any dignity left. I recommend whoever reads this to stop using this website right now

Anonymous 02/12/2026 (Thu) 10:23 [Preview] No.29869 del

>>29868

Anonymous 02/12/2026 (Thu) 10:24 [Preview] No.29870 del

>>29868
Wouldn't this be easily avoidable with a proper content security policy?

Anonymous 02/12/2026 (Thu) 10:24 [Preview] No.29871 del

>>29870
I meant the css ip thingy

leet hacker 02/12/2026 (Thu) 10:27 [Preview] No.29872 del

>>29868
yeah but you cant find the delisted boards which is the only place my IP was, LOOOOOOL

Anonymous 02/12/2026 (Thu) 10:28 [Preview] No.29873 del

>>29851
too bad :/

Anonymous 02/12/2026 (Thu) 10:30 [Preview] No.29874 del

>>29872
Did you shit in the pan?

Anonymous 02/12/2026 (Thu) 10:34 [Preview] No.29875 del

>>29851
Hope you'll use this incident as an opportunity to get better and more secure, find other potential bugs and exploits in your engine before anyone else will do it.
Stay strong.

Anonymous 02/12/2026 (Thu) 11:35 [Preview] No.29876 del

>>29868
Not real problem if people use Tor Browser
https://www.torproject.org/download/

Anonymous Admin 02/12/2026 (Thu) 12:00 [Preview] No.29877 del

>>29851
Also possible: board transfer, checking board ownership (but not BVs) with last login time, tho logs show board staff usernames.

Anonymous 02/12/2026 (Thu) 12:13 [Preview] No.29878 del

>>29876
boards can ban tor users and whole ip ranges from vpns

Anonymous 02/12/2026 (Thu) 12:19 [Preview] No.29879 del

>>29851
What exactly was in the logs e.g. only IPs for posts or views and downloads too and what was the period affected?

Anonymous Admin 02/12/2026 (Thu) 12:56 [Preview] No.29880 del

>>29879
Several things to address and clarify in your question.
>period
The logs says first escalation was on 2026 February 11th at 12:44, which means we discovered it about 20 hours later. These logs are accessible from the home page, scroll down a lot.
>logs
There are more logs generated by the engine that aren't published to that page. These logs aren't accessible with global Root privileges, no option in the moderation view or elsewhere.
>views and downloads
The engine doesn't log views and downloads - it's stated in the FAQ too.
>IPs
As for the IPs. When a user is a board or global staff member he can see IP hashes (and ranges) at posts in thread moderation view. For Root, there's an IP instead. So if they wanted to get IPs they had to open each thread. In theory they could harvest with a scraper. I don't know if this was done or not.

Anonymous Admin 02/12/2026 (Thu) 12:57 [Preview] No.29881 del

>>29880
The timestamps there are UTC. In case it's not clear.

Anonymous 02/12/2026 (Thu) 13:05 [Preview] No.29882 del

>>29881
Из-за тебя некоторых людей убьют, других в тюрьмах сгноят. Как ты будешь нести ответственность?

Anonymous 02/12/2026 (Thu) 13:14 [Preview] No.29883 del

>>29880
>superguy
This is hilarious. I imagine pic for some reason.

>>29882
А он и не должен нести ответственность. Ты же не подписывал никакой договор, когда решил пользоваться этой бордой, по которому он бы нёс ответственность за сохранность твоих данных? Нет. Вот и всё. А что до морального аспекта, ему в Австралии / Новой Зеландии или где он там по большей части на это прохладно, я думаю. Лучшее что он может сделать в такой ситуации, это >>29875 не допустить повторения чего-то подобного.

Также удвою >>29876. Для polru-шизиков и люbbителей ПАВ это актуально как никогда, на любом ресурсе. Ответственность за человека в первую очередь несёт этот же самый человек, сам за себя, а не кто-то другой.

Anonymous 02/12/2026 (Thu) 13:47 [Preview] No.29884 del

>>29880
Thx for the clarifications.
Basically, root can see IPs of every post on Endchan, even the for the ones created many years ago.

>So if they wanted to get IPs they had to open each thread. In theory they could harvest with a scraper. I don't know if this was done or not.
Obviously this was the point.

Anonymous 02/12/2026 (Thu) 15:39 [Preview] No.29885 del

I have no account and I always use a VPN. Checked my network and background OS processes and everything seems fine, nothing abnormal is running in the background or sniffing my traffic. I do use a very secure alternative web browser too (no telemetry, no webgl, no webrtc, no geo api, no camera or mic access because physically disconnected). Everything seems fine for me.

Anonymous 02/12/2026 (Thu) 15:41 [Preview] No.29886 del

>>29878
Boards that ban Tor and VPN = avoided bro. That's just 101 opsec.

Anonymous 02/12/2026 (Thu) 15:48 [Preview] No.29887 del

Anonymous 02/12/2026 (Thu) 16:10 [Preview] No.29888 del

How long were users' IP addresses stored?

Anonymous 02/12/2026 (Thu) 16:30 [Preview] No.29889 del

>>29885
You know that your very special alternate browser just makes you unique among all users and thus trackable? Tor Browser is the only way to go because every tor user looks the same

Anonymous Admin 02/12/2026 (Thu) 16:37 [Preview] No.29890 del

>>29884
>Basically, root can see IPs of every post on Endchan, even the for the ones created many years ago.
Yes.
>>29888
>How long were users' IP addresses stored?
Until the post gets deleted or thread gets bumped off (deleted).

Anonymous 02/12/2026 (Thu) 16:42 [Preview] No.29891 del

>>29876
yeah basically. I don't understand the mouthbreathing variety of the imageboard user who's not behind tor plus 7 proxies at all times. I'm not even alluding to the possibility of a malicious admin. these hacks can and do happen. oh well. survival of the fittest I guess?

Anonymous 02/12/2026 (Thu) 16:48 [Preview] No.29892 del

>>29891
Indeed. Fit people don't sit at the computer.

Anonymous 02/12/2026 (Thu) 16:49 [Preview] No.29893 del

>>29851
i already complained months ago, and to you personally i think, that powertripping BV's (such as "endmin" of endchan.org/ttg) are doing weird stuff such running scripts which track IP hashes to try to discern users or running scripts to delete hundreds of posts, going back months, which are not did not break any rules, just because they have a personal grudge. allowing this sort of stuff is just a testament to the carelessness which lead to what can be presumed complete leak of all IPs
i had trust in endchan's security, so for the past year i have been posting exclusively from my bare home IP. now all bad actors know i reside in lesotho. thank you shiban.

Anonymous 02/12/2026 (Thu) 17:06 [Preview] No.29894 del

always practice safe text boys
dont rawdog the internet and especially sites that have a particularly annoying pedo spammer
thx for the warning tho op

Posting mode: Reply