Over 31 Million User Accounts Exposed

The Internet Archive, a non-profit digital library best known for its Wayback Machine, has disclosed a major data breach affecting over 31 million users as well as a series of distributed denial-of-service attacks.

On the afternoon of Oct. 9, visitors of The Internet Archive started seeing pop-up messages that read: “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!”

HIPB is “Have I Been Pwned?” — a free website that allows users to check if their personal information has been compromised in a data breach.

Attackers managed to compromise a 6.4 GB SQL database containing authentication information for the Archive’s registered members, including email addresses, screen names, password-change timestamps, and bcrypt-hashed passwords, according to Bleeping Computer.

However, HIBP says 54% of the compromised data had already been flagged on its service as being exposed in previous breaches. It is currently not known how attackers breached The Internet Archive or if they stole any other data.

SEE: National Public Data Breach: Only 134 Million Unique Emails Leaked and Company Acknowledges Incident

Jake Moore, global cybersecurity advisor at internet security firm ESET, told TechRepublic in an email: “Hacking the past is usually technically impossible but this data breach is the closest we may ever come to it. The stolen dataset includes personal information but at least the stolen passwords are encrypted.

“However, it’s a good reminder to make sure all your passwords are unique as even encrypted passwords can be cross references against previous uses of it.

“Have I Been Pwned is a fantastic free service that can be used after a breach. It securely contains millions of breached usernames and passwords for people to safely check their credentials against the database to check if they have ever been caught up in a breach.

“If you find your data in any known breaches, it would be a good idea to change those passwords and implement multi factor authentication.”

Registered members of the Internet Archive will be able to change their password once the site is back online.

Timeline of this week’s attacks on The Internet Archive

The most recent password change timestamp in the dataset was found to be Sept. 28, which is likely when it was stolen. Indeed, HIBP operator Troy Hunt said that he had received the file on Sept. 30 and validated it by matching its data with a user’s account details.

In a post on X, Hunt said he first notified the Internet Archive of the breach on Oct. 6, and that he would load the compromised data onto HIBP within 72 hours. Two days later, the Internet Archive was hit with an apparently unrelated DDoS attack, but this was under control within an hour.

As Hunt began loading the data onto HIPB on Oct. 9, coincidentally, the pop-up started appearing. By 5:30 p.m. ET, both the pop-up and the site itself had been disabled, with some visitors seeing a message stating that “services are temporarily offline” and to visit the Archive’s X account for updates.

According to archivist Jason Scott, the site was also experiencing another DDoS attack. Kahle confirmed the breach and DDoS via X just after 9 p.m. ET. He said the pop-up had been added through its JavaScript library which had since been disabled, and that the second DDoS was being “fended off for now.”

SEE: Fidelity Data Breach Exposes Data From 77099 Customers

However, the following morning, Kahle posted on X again saying that the DDoS attacks had resumed again, knocking both archive.org and openlibrary.org offline. At the time of writing, the sites are still down while systems are upgraded.

BlackMeta has claimed responsibility for the DDoS attacks

On Oct. 10, the hacktivist group BlackMeta claimed responsibility for the DDoS attacks on The Internet Archive through a text post and video posted on X. Scott said on Mastodon that “they’re doing it just to do it. Just because they can. No statement, no idea, no demands.”

BlackMeta also posted about disrupting the Archive’s services in May, which was confirmed by Scott at the time. It is not believed that the DDoS attacks are connected to the data breach, and none of the contents of the Archive has been corrupted, Kahle has said.

DDoS attacks are on the rise

A denial of service attack is a strategy used by malicious actors to prevent legitimate users from accessing a web server, web application, or cloud service by flooding it with service requests.

While a DoS attack is essentially single origin, a distributed denial of service attack uses a large number of machines on different networks to disrupt a particular service provider; this is more challenging to mitigate, as the attack is being waged from multiple sources.

According to a report by NETSCOUT, the number of application-layer and volumetric DDoS attacks have risen by 43% and 30% respectively in the first half of this year. Analysts found that critical infrastructure, such as banking, financial services, and public utilities, are prime targets for maximum impact.

Earlier this month, Cloudflare successfully mitigated a DDoS attack, which it claimed was the largest ever disclosed.