The Internet Archive, known for its "Wayback Machine," has experienced a significant data breach, compromising a user authentication database containing 31 million unique records. The breach came to light Wednesday afternoon when visitors to archive.org encountered a JavaScript alert from the hacker announcing the incident.
The alert read: "Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!" The reference to "HIBP" pertains to the Have I Been Pwned data breach notification service, where stolen data is often shared.
According to Troy Hunt, creator of HIBP, the threat actor had shared the Internet Archive's authentication database nine days prior, comprising a 6.4GB SQL file named "ia_users.sql." This database includes sensitive information such as email addresses, screen names, password change timestamps, and Bcrypt-hashed passwords for registered users. The last recorded timestamp in the stolen database indicates the data was taken on September 28, 2024.
Hunt confirmed that the database includes 31 million unique email addresses, many of which are subscribed to the HIBP service. Users will soon be able to check if their information has been compromised by entering their email addresses on the HIBP site.
The authenticity of the breach was validated after Hunt reached out to users listed in the compromised data. Cybersecurity researcher Scott Helme confirmed that his bcrypt-hashed password matched the one stored in his password manager and that the timestamp aligned with his last password change.
Hunt attempted to notify the Internet Archive about the breach three days ago, initiating a disclosure process. However, he reported no response from the organization since then. The means of the breach remain unclear, as does the possibility of other stolen data.
Earlier in the day, the Internet Archive was also hit by a DDoS attack, claimed by the BlackMeta hacktivist group, which announced plans for further attacks. BleepingComputer reached out to the Internet Archive for additional information, but no immediate response was received.
Update 10/10/24: Internet Archive founder Brewster Kahle provided updates via X (formerly Twitter), confirming the data breach and explaining that a JavaScript library was used to display alerts to visitors. Kahle stated: "What we know: DDoS attacked—fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords." He further mentioned that they have disabled the JS library, scrubbed systems, and upgraded security measures.
A second update noted that DDoS attacks have resumed, taking archive.org and openlibrary.org offline once again. While the Internet Archive faces both a data breach and ongoing DDoS attacks, the connection between the two incidents is not currently believed to exist.
