Internet archive breach exposes 31 million users
An illegal JavaScript pop-up on the Internet Archive announced Wednesday afternoon that the site had suffered a serious data breach. A few hours later, the organization confirmed the incident.
Longtime security researcher Troy Hunt, who runs the data breach notification website Have I been Pwned yet (HIBP) also confirm that the violation is legal. He said the incident happened in September and the stolen data warehouse contained 31 million unique email addresses along with usernames, bcrypt password hashesand other system data. The computer is sleeping, after all first report a violationalso confirms the authenticity of the data.
The Internet Archive did not return multiple requests for comment from WIRED.
“Have you ever felt like the Internet Archive is running at full capacity and constantly at risk of a serious security breach?” the attackers wrote in an Internet Archive pop-up message Wednesday. “It just happened. See you 31 million on HIBP!”
In addition to website breaches and vandalism, Internet Archive also struggled with a wave of distributed denial-of-service attacks that kept its services offline.
Internet Archive founder Brewster Kahle provided one Public update Wednesday night in a post on social network X. “What we know: DDOS attack—now stopped; sabotage our website via JS library; salted username/email/password violation. What we did: Disabled JS library, system scan, security upgrade. Will share more when we know.” “Scanning systems” refer to services that provide protection against DDoS attacks by filtering malicious junk traffic so it cannot flood and disrupt a website.
Internet Archive has faced powerful DDoS attacks multiple times in the past, including in late May. Like Kahle wrote on Wednesday: “Yesterday’s DDoS attack on @internetarchive was repeated today. We are working to bring http://archive.org back online.” The hacktivist group is called BlackMeta liability statement about this week’s DDoS attacks and said it plans to conduct more operations against the Internet Archive. However, the perpetrator of the data breach has not yet been identified.
The Internet Archive has faced battles on many fronts in recent months. In addition to repeated DDoS attacks, this organization also faces increased legal challenges. Recently it lost the appeal IN Hachette v. Internet Archivea lawsuit brought by book publishers, arguing that their digital lending libraries violated copyright laws. Now it is facing an existential threat in the form of another copyright lawsuit, this one from music labels, which could result in damages of up to 621 million USD if the court rules against the archive.
HIBP’s Hunt said that he first received the stolen Internet Archive data on September 30, reviewed it on October 5, and alerted the organization about it on October 6. He said that the team confirmed the breach to him the next day and that he planned to load the data into HIBP and notify subscribers of the breach on Wednesday. “They get defaced and DDoSed, as soon as the data is loaded into HIBP,” Hunt wrote. “The timing at the last point seems completely coincidental.”
Hunt also added that while he encouraged the team to publicly disclose the data breach before the HIBP announcement was made, extenuating circumstances could explain the delay.
“Obviously I would have liked to have seen that information much sooner, but understanding how vulnerable they are, I think people should cut them back a little bit,” Hunt wrote. “They are a nonprofit that does great work and provides a service that so many of us rely on.”
