Internet Archive hacked, suffering data breach and DDoS attack, 31M affected

The Internet Archive, a renowned non-profit dedicated to preserving digital history, was hacked on Wednesday, according to a statement from founder Brewster Kahle. The breach led to the defacement of the site via a JavaScript pop-up alert, notifying visitors of the incident.

The message displayed on the compromised website read, “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!” The reference to HIBP (Have I Been Pwned?) highlights a popular platform where users can verify if their personal information has been exposed in a data breach.

Internet Archive data leak confirmed

Troy Hunt, the operator of HIBP, confirmed that a file containing internal data, including email addresses, screen names, password change timestamps, and Bcrypt-hashed passwords, had been provided to him nine days prior. Hunt verified the legitimacy of the leak by cross-referencing the data with a user’s account. The compromised database reportedly holds information for 31 million unique email addresses.

Internet Archive hacked, suffering data breach and DDoS attack, 31M affected — **JavaScript error shown on Internet Archive’s archive.org** *(Photo via BleepingComputer*)

Hunt also shared that 54% of the accounts had already been included in HIBP from previous breaches. In posts on social media, he detailed how he contacted the Internet Archive on October 6th to begin a disclosure process but has not received a response since.

Internet Archive DDoS attack

Along with the data breach, the Internet Archive suffered a Distributed Denial-of-Service (DDoS) attack, slowing the website’s operations and leaving it intermittently offline. The attack coincided with the defacement, temporarily causing the site to display a placeholder message directing users to check updates via social media.

Jason Scott, an archivist and software curator for the Internet Archive, posted on Mastodon that the DDoS attack appeared to have no clear purpose, stating that the attackers seemed to be doing it “just because they can.”

Later that evening, Kahle confirmed the breach on X (formerly Twitter), while an account named SN_Blackmeta claimed responsibility for the attack. The account also hinted at further attacks planned for the following day, while referencing a previous incident in May.

The breach has raised concerns over the security of sensitive information housed by the Internet Archive, especially given its role in preserving vast amounts of public and private data. The leaked database includes registration details dating as far back as 2020, with the latest timestamp recorded on September 28, 2024, just days before the attack.

One affected user, cybersecurity researcher Scott Helme, confirmed that his account was part of the compromised data. Helme verified that the Bcrypt-hashed password in the leaked file matched the one stored in his password manager, further validating the breach’s authenticity.