Massive Cyberattack Hits Internet Archive: 31 Million Users’ Data Compromised

Updates added at the end of the article.

Did you know that the Internet Archive’s “The Wayback Machine” was recently compromised in a data breach? A hacker managed to infiltrate the website and steal a user authentication database containing 31 million unique records. Yikes!

News of the breach began circulating when visitors to archive.org saw a JavaScript alert created by the hacker, stating that the Internet Archive was breached.

“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!,” the message read.

What is HIBP?

HIBP stands for Have I Been Pwned, a data breach notification service created by Troy Hunt. Threat actors commonly share stolen data with this service so users can check if their information has been compromised.

Hunt confirmed that the threat actor shared the Internet Archive’s authentication database with him, which is a 6.4GB SQL file named “ia_users.sql.” The database contains authentication information for registered members, including email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data.

The most recent timestamp on the stolen records is September 28th, 2024, likely when the database was stolen.

How many people are affected?

Hunt says there are 31 million unique email addresses in the database, with many subscribed to the HIBP data breach notification service. The data will soon be added to HIBP, allowing users to enter their email and confirm if their data was exposed in this breach.

The data was confirmed to be real after Hunt contacted users listed in the databases, including cybersecurity researcher Scott Helme, who allowed us to share his exposed record.

Helme confirmed that the bcrypt-hashed password in the data record matched the brcrypt-hashed password stored in his password manager. He also confirmed that the timestamp in the database record matched the date when he last changed the password in his password manager.

What’s being done about it?

Hunt contacted the Internet Archive to start a disclosure process and stated that the data would be loaded into the HIBP service in 72 hours. However, he has not heard back since.

It is not known how the threat actors breached the Internet Archive and if any other data was stolen.

What else is happening?

Earlier, the Internet Archive suffered a DDoS attack, which has now been claimed by the BlackMeta hacktivist group, who says they will be conducting additional attacks.

We reached out to the Internet Archive with questions about the attack, but no response was immediately available.

Update 10/10/24: Internet Archive founder Brewster Kahle shared an update on X last night, confirming the data breach and stating that the threat actor used a JavaScript library to show the alerts to visitors.

“What we know: DDOS attacked-fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords,” reads a first status update tweeted last night.

“What we’ve done: Disabled the JS library, scrubbing systems, upgrading security.”

A second update shared this morning states that DDoS attacks have resumed, taking archive.org and openlibrary.org offline again.

While the Internet Archive is facing both a data breach and DDoS attacks at the same time, it is not believed that the two attacks are connected.

Stay safe out there!

Always be cautious of your online security and remember to change your passwords regularly. If you want to keep up-to-date with cybersecurity news and advice, don’t hesitate to contact us and keep coming back to learn more.