The Internet Archive, home to the popular “Wayback Machine,” has recently fallen victim to a significant data breach, exposing sensitive information from over 31 million users. This incident has raised serious concerns about the security of one of the internet’s most trusted resources for preserving digital history.
The breach came to light on October 9, 2024, when users visiting archive.org encountered a suspicious JavaScript alert warning them of the security breach. The alert claimed that the Internet Archive had experienced a catastrophic failure, mentioning “HIBP,” or “Have I Been Pwned?”—a site where users can check if their data has been compromised in previous breaches. The message ominously stated, “Have you ever felt like the Internet Archive runs on sticks? It just happened. See 31 million of you on HIBP!”
Troy Hunt, the creator of Have I Been Pwned?, confirmed that he had received a large file nine days prior containing the compromised data. This file, named “ia_users.sql,” was 6.4GB and included not only email addresses and screen names but also timestamps for password changes and Bcrypt-hashed passwords. Hunt was able to validate the data by cross-referencing it with user accounts.
Details of the Compromise
The breached database contained unique records for 31 million users, with the last updated timestamp recorded on September 28, 2024. Hunt reached out to several users whose data had been exposed, including cybersecurity researcher Scott Helme, who confirmed that his Bcrypt-hashed password matched the one stored in his password manager. However, questions remain about how the hackers infiltrated the Internet Archive’s systems and whether any additional sensitive information was stolen.
In light of this breach, users will soon be able to check if their information appears in the Have I Been Pwned? database, giving them a chance to take action if necessary.
DDoS Attack and Website Disruption
Shortly after the breach was made public, the Internet Archive experienced a Distributed Denial of Service (DDoS) attack, which further complicated its recovery efforts. The hacktivist group “BlackMeta” claimed responsibility for this attack, stating their intention to launch additional assaults on the site. Visitors to the site initially encountered a defaced message along with the hacker’s JavaScript alert.
Jason Scott, an archivist at the Internet Archive, confirmed the ongoing DDoS attack and shared that it was carried out “just because they can.” The site was eventually taken offline, replaced by a message directing users to its social media for updates. By the evening of October 9, the website remained mostly inaccessible.
Response from the Internet Archive
Brewster Kahle, a leading figure at the Internet Archive, addressed the situation on X (formerly Twitter) later that day, acknowledging the breach and outlining the steps being taken to mitigate the damage. He stated, “What we’ve done: Disabled the JS library, scrubbing systems, upgrading security.” The Internet Archive has since disabled the compromised JavaScript library used to display the alert and is focused on enhancing its security measures.
Implications of the Breach
The breach of the Internet Archive’s user database has highlighted the pressing need for stronger cybersecurity measures at this critical repository. With millions of users potentially affected, the organization faces increased scrutiny and pressure to protect user data from future attacks.
As investigations continue, more details about the breach and the attackers are expected to surface. For now, users are urged to monitor the Have I Been Pwned? website to check for any compromises and to change their passwords to bolster their security.