>>170464
I'm not sure how much he could de-anonymize people. Reveal IP addresses of posters?
It's bad of course, but wouldn't really call that de-anonymizing. And aren't those stored as hashes already?
If he did replace files with vulnerable ones, then that could be bad, if the database hash remains intact. If someone posts an image that was previously uploaded, and that image is infected, then that person has unknowingly spread malware.
Not sure about executable code though. I'd be more concerned with steganography here, depending on how rough your local law enforcement is.
If you aren't storing people's actual IP, then what's in your logs would be the most concerning I think