Internet Archive Data Breach Exposes Information of 31 Million Users

On Wednesday afternoon, a rogue JavaScript pop-up on the Internet Archive reported a significant data breach affecting millions of users. In a confirmation several hours later, the organization acknowledged the breach, marking a serious incident for the nonprofit dedicated to preserving the historical web and digital resources.

Troy Hunt, a prominent cybersecurity expert and the operator of the data-breach notification service Have I Been Pwned, verified the breach’s authenticity. He indicated that the incident occurred in September and involved the unauthorized acquisition of 31 million unique email addresses, alongside usernames, bcrypt password hashes, and other sensitive system data. Bleeping Computer, which initially reported the breach, also validated the accuracy of the compromised data.

In a striking message left by the attackers, the Internet Archive pop-up taunted, “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!” This type of communication underscores the audacity of modern cyber threats, which not only aim to steal data but also attempt to publicly humiliate their targets.

Beyond the data breach, the Internet Archive has been contending with a series of distributed denial-of-service (DDoS) attacks that have intermittently disrupted its online services. Brewster Kahle, the founder of the Internet Archive, confirmed to media outlets that ongoing DDoS attacks have forced the organization to take its services offline temporarily to recover and mitigate the impact of these incidents.

Kahle provided a public update detailing the situation, stating that their defenses have succeeded in fending off current DDoS attempts for now, but the website defacement and data breach had taken place. In response, the Archive is scrubbing their systems and enhancing their security protocols. The term “scrubbing systems” refers to the implementation of protective services designed to filter out malicious traffic and safeguard the integrity of the website against future attacks.

The Internet Archive has been targeted before, experiencing aggressive DDoS assaults, notably in late May. Kahle noted that the recent DDoS attack repeated similar patterns from prior incidents and indicated ongoing efforts to restore full functionality. The hacktivist group BlackMeta has claimed responsibility for these DDoS attacks and has indicated intentions to continue targeting the Internet Archive.

In addition to cybersecurity threats, the Internet Archive faces legal turmoil, including challenges related to copyright infringement from publishing and music industries. Recently, the organization lost an appeal in the case of Hachette v. Internet Archive, raising concerns about its digital lending practices. A subsequent lawsuit by music labels threatens the Archive with potential damages exceeding $621 million if the court rules unfavorably.

Hunt explained that he first became aware of the compromised Internet Archive data on September 30th and communicated the breach to the Archive on October 6th. Ironically, the breach was acknowledged amid ongoing disruptions caused by the DDoS attacks just as data was prepared for disclosure. The timing of these events highlights the complex risks organizations face in the cybersecurity landscape.

As cybersecurity threats evolve, understanding the nature of these attacks is crucial for organizations aiming to safeguard sensitive information. The MITRE ATT&CK framework provides relevant context for this incident, indicating that tactics such as initial access—likely exploited through vulnerabilities—and persistence methods were potentially employed by the attackers. The Internet Archive’s experience exemplifies the urgent need for robust defenses in an era where the security of digital assets is increasingly jeopardized.

Source