Internet Archive hacked: How millions of passwords, emails were stolen in massive cyberattack

The Internet Archive, renowned for its digital library and the Wayback Machine, has recently been subject to a cyberattack that has compromised millions of users’ data.

The attack on the Internet Archive began with a malicious JavaScript pop-up that appeared on October 9, informing visitors of a security breach.

The message read, “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!” This message confirmed what would soon be one of the largest breaches in the organisation’s history.

Troy Hunt, a well-known security researcher and the founder of Have I Been Pwned (HIBP), confirmed the breach. Hunt revealed that the attack took place in September and compromised 31 million email addresses, along with usernames, bcrypt password hashes, and other internal system data.

More from Explainers

How ChatGPT is becoming everyone’s BFF and why that’s dangerous This Week in Explainers: How recovering from Gen-Z protests is a Himalayan task for Nepal

Hunt first received the stolen data on September 30 and reviewed it on October 5, notifying the Internet Archive the following day. “They get defaced and DDoS’d, right as the data is loading into HIBP,” Hunt remarked, highlighting the timing of the breach and subsequent denial-of-service attacks.

Let me share more on the chronology of this:

30 Sep: Someone sends me the breach, but I'm travelling and didn't realise the significance
5 Oct: I get a chance to look at it - whoa!
6 Oct: I get in contact with someone at IA and send the data, advising it's our goal to load…

— Troy Hunt (@troyhunt) October 9, 2024

This breach also coincided with distributed denial-of-service (DDoS) attacks that temporarily took down the site, making services like the Wayback Machine inaccessible.

Editor’s Picks

1

Ukrainian hacktivists hacked into Russian state TV VGTRK to ‘celebrate’ President Vladimir Putin's birthday 2

In a major cyber attack, hackers target WHO and British parliamentarians on X

Brewster Kahle, founder of the Internet Archive, posted an update on X (formerly Twitter) confirming, “What we know: DDOS attack — fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords. What we’ve done: Disabled the JS library, scrubbing systems, upgrading security. Will share more as we know it.”

What we know: DDOS attack–fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords.

What we’ve done: Disabled the JS library, scrubbing systems, upgrading security.

Will share more as we know it.

— Brewster Kahle (@brewster_kahle) October 10, 2024

Who’s behind the attack?

The hacktivist group SN_BlackMeta has claimed responsibility for the DDoS attacks, though their direct involvement in the data breach remains unclear.

The group has been linked to other major cyberattacks this year, including a six-day-long DDoS assault on a Middle Eastern financial institution using a DDoS-for-hire service called InfraShutdown.

Cybersecurity firm Radware has connected SN_BlackMeta to a pro-Palestinian hacktivist movement, which may have influenced their decision to target the Internet Archive.

In a post on X, SN_BlackMeta stated, “The Internet archive has and is suffering from a devastating attack. We have been launching several highly successful attacks for five long hours, and to this moment, all their systems are completely down.”

The group has hinted at further attacks, claiming they will continue to target the Internet Archive due to its ties to the United States, a nation they accuse of supporting Israel.

How much user data has been compromised?

The Internet Archive data breach exposed 31 million unique email addresses, screen names, and bcrypt-hashed passwords. While bcrypt is a strong encryption algorithm, users are still advised to change their passwords, especially if they reuse passwords across different platforms.

According to Hunt, 54 per cent of the email addresses compromised in this breach were already present in the HIBP database due to previous breaches.

The stolen database, a 6.4GB SQL file labelled “ia_users.sql,” contained records up to September 28, 2024, which indicates the breach likely occurred around that time.

Hunt also stated, “Obviously, I would have liked to see that disclosure much earlier, but understanding how under attack they are, I think everyone should cut them some slack. They’re a nonprofit doing great work and providing a service that so many of us rely heavily on.”

Bleeping Computer, which first reported the breach, verified the legitimacy of the stolen data. As of now, users who had registered accounts with the Internet Archive have received breach notifications via Have I Been Pwned, which informed them they were part of the 31 million compromised records.

How is Internet Archive dealing with the breach?

The Internet Archive has been under siege on multiple fronts. In addition to the cyberattacks, the nonprofit has been battling legal disputes. Most notably, the organisation recently lost a major copyright lawsuit against several book publishers in Hachette v. Internet Archive.

The lawsuit, which challenged the legality of its digital lending library, adds significant pressure to an already embattled organisation. The Internet Archive could now face damages upwards of $621 million if it loses an additional copyright case brought forward by music labels.

Kahle has acknowledged these challenges, expressing concerns over both the legal battles and the ongoing cyberattacks. He stressed the organisation’s commitment to recovering from the DDoS attacks and breach, saying, “Yesterday’s DDoS attack on @internetarchive repeated today. We are working to bring archive.org back online.”

What should users do to remain safe?

For users of the Internet Archive, the most immediate step is to change passwords, especially if they reuse them on other platforms. Despite bcrypt encryption, the risk remains, especially with repeated attacks and growing cyber threats.

Additionally, cybersecurity experts recommend avoiding downloads or interaction with files from the Internet Archive until the organisation declares the breach resolved and services secure.

As the Internet Archive continues to mitigate the damage from the breach and subsequent attacks, Kahle and his team are focused on bolstering security measures.

“Scrubbing systems,” Kahle explained, is a process that involves filtering out malicious traffic to protect against DDoS attacks. The Archive’s commitment to providing access to free knowledge persists despite these mounting challenges.