Null
Ooperator
Fact Sheet
Definitely Compromised
For at least the 4,611 users contained in the breach.
Likely for more than those 4,611 users, based off of what was seen.
What was discovered likely depends on the perceived value of the target.
Remedies
Genies do not go back in bottles but it is possible to mitigate what impact this will have.
Help, my email was tied to my identity in some way.
Suggestion: Make a Talk to Staff thread. You can either ask for a name change or an account deletion. I will do either no questions asked.
If you want a name change, say which name in your post or I will give you one at random. (Click to make thread)
If you want to delete your account, your posts will be given a new name as guest posts but your account data will be gone. If you have broken speech laws in your country (UK, NZ), I advise doing this. (Click to make thread)
Help, I wasn't using a VPN!
It is unlikely an IP will ever come back to haunt you. Even if you used a corporate or educational networks unprotected, the best an IP can do is say "this person is from there". It does not link back to you and would require a considerable amount of effort and cooperation from the ISP to trace to a single person. For domestic connections, IPs reveal your ISP, not your home. Your ISP can be on the same street or several cities away.
This is an example of what information an IP gives.
I do not feel in any way endangered by this information.
Help, I DM'd yawning sneasel my butthole (but otherwise my account is fine).
Suggestion: Make a Talk to Staff thread asking for conversations to be deleted. That's the best I can offer. (Click to make thread)
Help, I live in the UK and I said something bad about Muslims, please delete my posts.
I am happy to delete accounts and give plausible deniability but I will not be deleting any content off the site.
Side note: Deleting or renaming your account does not magically obliterate all references to your original username on the site and I will not be inventing something that does that.
Moving Forward
I am completely abandoning all in-house monetization plans. (i.e. currency, account upgrades).
Conversations will be automatically deleted over time.
Policy on account deletions and renames will be reversed. Entirely, for now.
Privacy Refresher
how to not use your .gov and .edu email addresses
(If you're wondering, no. I banned all *.edu and *.gov domains and made existing ones change their email after the Vordrak downtime in 2017.)
1. Get a password manager
I use LastPass, which is an excellent consumer password manager.
https://lastpass.com/
... though the elite hackers would advocate using these.
https://www.privacytools.io/software/passwords/
2. Use Passphrases
"A good plan, violently executed now, is better than a perfect plan next week."
is better than "xSDKj/s4202"
The first is both a million times stronger and a million times easier to remember than a short, random string.
3. Set up alter egos
i.e. segregate porn, wrongthink, personal, and government
Providers can be found here.
https://www.privacytools.io/providers/email/
4. Use VPNs
(Warning: Shill links for things I use.)
PrivateInternetAccess, proven in court to not log IPs.
NordVPN, very popular consumer VPN but somewhat distrusted due to their aggressive marketing.
For a general list, this website is excellent in general.
www.privacytools.io
Bonus Fun
Automatic fake identity generator.
https://www.fakenamegenerator.com/
Fake pictures (warning: some are awful and funny)
https://thispersondoesnotexist.com/
On a long enough timeline, every website you've ever used will be compromised. The only way to adequately protect yourself is to proactively compartmentalize your data. No one can do this for you but you.
Definitely Compromised
For at least the 4,611 users contained in the breach.
- IP addresses used since at least the beginning of September.
- Account details (email, birthday).
- Recent content you've made (particularly threads in Talk to Staff / Proving Grounds).
- The most recent index (titles, participants) of conversations you're a part of.
Likely for more than those 4,611 users, based off of what was seen.
What was discovered likely depends on the perceived value of the target.
- Full conversations, perhaps all of them.
- Moderator boards, which is probably fine because it's really boring.
- Private boards, which is mostly shitposting anyways.
- If you use 2FA, nothing about your authentication device (phone) is exposed.
- It does not appear any forum content was deleted.
Remedies
Genies do not go back in bottles but it is possible to mitigate what impact this will have.
Help, my email was tied to my identity in some way.
Suggestion: Make a Talk to Staff thread. You can either ask for a name change or an account deletion. I will do either no questions asked.
If you want a name change, say which name in your post or I will give you one at random. (Click to make thread)
If you want to delete your account, your posts will be given a new name as guest posts but your account data will be gone. If you have broken speech laws in your country (UK, NZ), I advise doing this. (Click to make thread)
Help, I wasn't using a VPN!
It is unlikely an IP will ever come back to haunt you. Even if you used a corporate or educational networks unprotected, the best an IP can do is say "this person is from there". It does not link back to you and would require a considerable amount of effort and cooperation from the ISP to trace to a single person. For domestic connections, IPs reveal your ISP, not your home. Your ISP can be on the same street or several cities away.
This is an example of what information an IP gives.
I do not feel in any way endangered by this information.
Help, I DM'd yawning sneasel my butthole (but otherwise my account is fine).
Suggestion: Make a Talk to Staff thread asking for conversations to be deleted. That's the best I can offer. (Click to make thread)
Help, I live in the UK and I said something bad about Muslims, please delete my posts.
I am happy to delete accounts and give plausible deniability but I will not be deleting any content off the site.
Side note: Deleting or renaming your account does not magically obliterate all references to your original username on the site and I will not be inventing something that does that.
Moving Forward
I am completely abandoning all in-house monetization plans. (i.e. currency, account upgrades).
Conversations will be automatically deleted over time.
Policy on account deletions and renames will be reversed. Entirely, for now.
Privacy Refresher
how to not use your .gov and .edu email addresses
(If you're wondering, no. I banned all *.edu and *.gov domains and made existing ones change their email after the Vordrak downtime in 2017.)
1. Get a password manager
I use LastPass, which is an excellent consumer password manager.
https://lastpass.com/
... though the elite hackers would advocate using these.
https://www.privacytools.io/software/passwords/
2. Use Passphrases
"A good plan, violently executed now, is better than a perfect plan next week."
is better than "xSDKj/s4202"
The first is both a million times stronger and a million times easier to remember than a short, random string.
3. Set up alter egos
i.e. segregate porn, wrongthink, personal, and government
Providers can be found here.
https://www.privacytools.io/providers/email/
4. Use VPNs
(Warning: Shill links for things I use.)
PrivateInternetAccess, proven in court to not log IPs.
NordVPN, very popular consumer VPN but somewhat distrusted due to their aggressive marketing.
For a general list, this website is excellent in general.
VPN Services | PrivacyTools
Find a no-logging VPN operator who isn't out to sell or read your web traffic.

Bonus Fun
Automatic fake identity generator.
https://www.fakenamegenerator.com/
Fake pictures (warning: some are awful and funny)
https://thispersondoesnotexist.com/
On a long enough timeline, every website you've ever used will be compromised. The only way to adequately protect yourself is to proactively compartmentalize your data. No one can do this for you but you.
Last edited: