pretty interesting discovery if that was the hack.

do you know what the legal implications are for this?

if the company that owns 4chan finds the identity of the attacker, could they sue him in civil court? or do they send whatever logs they have to the FBI and the FBI would initiate a criminal prosecution? also what is the criminal act here? is it accessing their systems, or is it posting the data that they found "through unauthorised means" on a public channel like twitter? does the "computer fraud and abuse act" apply?

like if you found this exploit, and sent it to the company in good faith (ie a "good hacker"), are you free from prosecution? and what is the grey area, like if you found this exploit and then just sat on it for a while (let's say you didn't report it to the company, but let's also say you didn't abuse it, ie leak private data to twitter)