Wayback Machine hosting site Internet Archive has recently suffered a data breach, with hackers compromising a user authentication database containing 31 million unique records. The breach became publicly known after visitors to archive.org noticed a JavaScript alert on the website, created by the attacker, warning of the incident.
“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened,” the message read. “See 31 million of you on HIBP!”
The “HIBP” referred to in the alert stands for Have I Been Pwned (HIBP), a data breach notification service run by cybersecurity expert Troy Hunt, who later confirmed the attack. According to Hunt, a file named “ia_users.sql” was shared with HIBP nine days before the breach became publicly visible.
Hi folks, yes, I'm aware of this. I've been in communication with the Internet Archive over the last few days re the data breach, didn't know the site was defaced until people started flagging it with me just now. More soon. https://t.co/uRROXX1CF9
— Troy Hunt (@troyhunt) October 9, 2024
The database includes screen names, Bcrypt-hashed passwords, other internal information from the Internet Archive’s database, and 31 million email addresses – some of which are already subscribed to the HIBP service. Hunt notes that users will soon be able to check whether their data was exposed.
The authenticity of the stolen data was also confirmed by cybersecurity researcher Scott Helme, whose own hashed password in the database matched the one stored in his password manager. Helme also verified that the timestamp on the stolen data coincided with the last time he had changed his password. The breach is believed to have occurred around September 28th, 2024, based on the most recent timestamp in the stolen records.
What we know: DDOS attack–fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords.
What we’ve done: Disabled the JS library, scrubbing systems, upgrading security.
Will share more as we know it.
— Brewster Kahle (@brewster_kahle) October 10, 2024
Brewster Kahle, the founder of the Internet Archive, confirmed the data breach in a series of updates on social media. He stated that the attackers used a compromised JavaScript library to display the alerts on the website. It should also be noted that alongside the data breach, the Internet Archive also faced a distributed denial of service (DDoS) attack claimed by the BlackMeta hacktivist group, though it is not yet known if the two incidents are related.
Update: @internetarchive’s data has not been corrupted. Services are currently stopped to upgrade internal systems.
We are working to restore services as quickly and safely as possible.
Sorry for this disruption.
— Brewster Kahle (@brewster_kahle) October 10, 2024
Kahle assured users that steps are being taken to mitigate the damage, including disabling the affected JavaScript library, conducting system scrubbing, and upgrading security measures. However, DDoS attacks have resumed, causing both archive.org and openlibrary.org offline again earlier. At the time of writing, Kahle assures that no data has been corrupted, though the site’s services is temporarily unavailable in order to upgrade internal systems
(Source: Bleeping Computer)
