On Wednesday afternoon, it was announced that the site had suffered a massive data breach due to an illegal JavaScript popup on the Internet Archive. Hours later, the organization confirmed the incident.
Troy Hunt, a longtime security researcher who runs the data breach notification website Have I Been Pwned (HIBP), also confirmed that the breach was legitimate. He said the incident occurred in September and that the stolen treasure included 31 million unique email addresses, along with usernames, bcrypt password hashes, and other system data. Bleeping Computer, which first reported the breach, also confirmed the validity of the data.
The Internet Archive did not respond to multiple requests for comment from WIRED.
“Have you ever felt like the Internet Archive is running on sticks and is always on the brink of a catastrophic security breach?” the attackers wrote in an Internet Archive pop-up message on Wednesday. Masu. “It just happened. See you 31 million people at HIBP!”
In addition to breaches and site defacements, the Internet Archive is also dealing with a wave of distributed denial-of-service attacks that have caused intermittent service outages.
Internet Archive founder Brewster Kahle made the update public in a post on social network X on Wednesday night. Tampering with our website via JS libraries. Compromise of username/email/salt encrypted password. What we did: Disabled JS libraries, scrubbed the system, and upgraded security. I’ll share more as I learn more. ” A “scrubbing system” refers to a service that protects against DDoS attacks by filtering malicious junk traffic and prevents websites from being flooded and disrupted.
The Internet Archive has faced aggressive DDoS attacks multiple times in the past, including in late May. Kahle wrote on Wednesday: “Yesterday’s DDoS attack against @internetarchive was repeated today. We are working to bring http://archive.org back online.” The hacktivist group known as BlackMeta is responsible for this week’s DDoS attack. and said they planned to carry out further attacks against the Internet Archive. Still, the culprit behind the data breach is still unknown.
In recent months, the Internet Archive has faced battles on multiple fronts. In addition to repeated DDoS attacks, the organization also faces increasing legal challenges. The company recently lost on appeal in Hachette v. Internet Archive, a lawsuit brought by a book publisher that claimed its digital lending library violated copyright law. Now facing an existential threat in the form of another copyright lawsuit, this one from a music label, it could face more than $621 million in damages if the court rules against the archives. may occur.
HIBP’s Hunt said he first received the stolen Internet Archive data on September 30, reviewed it on October 5, and alerted the organization on October 6. The group said it confirmed the breach the next day and planned to load the files. data to HIBP and will notify its subscribers about the breach on Wednesday. “As data is loaded into HIBP, it is altered and subject to DDoS attacks,” Hunt wrote. “The timing of the last point seems completely coincidental.”
Hunt also encouraged the group to disclose the data breach itself before a HIBP notification is issued, but added that extenuating circumstances could explain the delay.
“Obviously I wish they had disclosed sooner, but I think everyone should give them some leeway once they realize how much they are under attack,” Hunt wrote. “They are a nonprofit organization that does great work and provides a service that many of us rely on heavily.”