Data Breach Hits The Wayback Machine, Millions of Records Compromised
The popular digital archive known as The Wayback Machine, operated by the Internet Archive, has reportedly experienced a severe data breach. This incident has led to the theft of over 31 million records, which encompass sensitive user information. According to sources, the breach occurred through unauthorized access to a user authentication database.
On October 9, visitors to The Wayback Machine encountered an unexpected JavaScript alert indicating, "see 31 million of you on HIBP!" This message referred to Have I Been Pwned (HIBP), a data breach notification service created by Troy Hunt. Frequently, threat actors target HIBP as a platform to disseminate stolen data, contributing to a broader understanding of the scale of data breaches.
Troy Hunt later confirmed that he received a substantial file titled “ia_users.sql,” roughly 6.4 GB in size, containing the exposed data nine days before the public notification. This file included not just email addresses and usernames, but also timestamps regarding password changes and Bcrypt-hashed passwords. Hunt has leveraged user accounts to verify the authenticity of the compromised data.
Among those contacted was cybersecurity researcher Scott Helme, who acknowledged that his Bcrypt-hashed password matched the one stored in his password manager. This verification raises critical questions about the methods employed by hackers to breach the Internet Archive’s defenses and whether other forms of sensitive information may have been extracted.
The last recorded timestamp on the breached records indicates September 28, 2024, which is likely the date when the database was compromised. The breach has already been incorporated into HIBP, enabling users to check whether their information has been affected.
In the aftermath of the breach, the Internet Archive has also encountered a Distributed Denial of Service (DDoS) attack claimed by the hacktivist group BlackMeta. Following this attack, a defaced message and further JavaScript alerts were observed on the site, prompting a suspension of online activity until the situation could be managed. By the evening of October 9, access to the website remained intermittent at best.
Brewster Kahle, a key figure at the Internet Archive, has addressed these issues via social media platform X (formerly Twitter). He confirmed that the compromised JavaScript library has been disabled and emphasized ongoing security enhancements to prevent future incidents. The breach’s implications for cybersecurity at the Internet Archive are significant, as millions of user data records are now at risk. Users are advised to alter their passwords and verify their accounts for any signs of exposure.
As the investigation unfolds, the tactics and techniques employed in this breach may align with the MITRE ATT&CK framework, indicative of initial access and potential privilege escalation. Understanding these elements is crucial for business owners focused on enhancing their cybersecurity posture in the wake of such incidents.
