Security at
Security always matters more than anything else, especially at We take all security matters very seriously and will always be proactive when looking for any vulnerabilities.
Posted with ❤️ on May 6, 2023

At, nothing is more important than security. Which is why today, we performed a routine checkup and refreshed configs. If you haven't yet, grab your new config in your dashboard. We have never experienced any hacks or breaches, and we pride ourselves on being the most secure image host out there. Even after some of our competitors have tried (and failed) to illegally gain access to our servers or our user data. If you are caught trying to breach or hack any of our services, all data on you (including username, email, discord account, IP address, and any other data) will be swiftly reported to law enforcement agencies such as the FBI. If we do ever experience a breach, you will be the first to know and we will work tirelessly to mitigate and repair any intrusions. Any code files or snippets leaked by third parties may be tampered with and do not represent the full image of our service. Please refrain from taking anything seriously that was said by those parties regarding security issues and/or infrastructure organization as the provided "proof" could have been modified to worsen's image. We use world class security measures to make sure our users are the most secure users of any image host ever.

And now to MalwarePad...

As the person who has built this place from the ground up and continues to take pride in it, I have a couple of things to say. We've had plenty of people try to "debate" our security measures. The following many will not like: if you think you are even qualified enough to judge my security, you're simply wrong. Signed has top notch security and all edge cases have been calculated and considered. Do you not believe me? Here is a small diagram of how the authentication process works:

We follow the procedures a regular OAuth2 login system has. It's simple: when a user succeeds in the authentication process by logging in using a username, password and - if enabled - 2FA token they will be granted what's called a JWT Token. This token expires after exactly 7 days which is the period where the login session is valid for. When fetching information or making changes from inside the dashboard, you are supplying the API with this JWT Token to prove who you really are. This is the exact same system large platforms such as Google, Amazon and Microsoft use. If you think you can bypass's security, you will have no problem doing the same to those big companies!

Diagram of's security

Some of you more experienced folks who may have some experience with programming and infostructure management might be asking: "How do configs (sxcu files) work then? They don't expire after 7 days yet they have the same layout as a regular JWT Token would!". You're right! They don't expire and they use the exact same cryptography technology to operate. In there are two types of "tokens":

  • A "dashboard token" which can be used to fetch or edit any data inside the dashboard and expires after 7 days.
  • An "upload token" which can be used to upload or delete files and never expires.

Using this layout, we can differentiate between the two token types on the fly and disallow operations of one when using the other one respectively.

So, next time you see someone going around spreading misinformation about, do not hesitate to send them this blog post. I don't really need to mention it but if you have any further questions about our security, we'll be happy to assure you inside support threads. Have an amazing rest of your day and remember to stay safe!