An illicit JavaScript pop-up on Internet Archive proclaimed Wednesday afternoon that the site had suffered a major data breach. Hours later, the organization confirmed the incident.
Troy Hunt, a long-time security researcher who runs the data breach reporting website. Have I been fooled? (HIBP), too confirmed that the breach is legitimate. He said it happened in September and that the stolen trove contains 31 million unique email addresses along with usernames, bcrypt password hashes and other system data. Computer that rings, that first reported the violationalso confirmed the validity of the data.
The Internet Archive has not yet responded to multiple requests for comment from WIRED.
“Have you ever felt like the Internet Archive is powered by devices and constantly on the verge of a catastrophic security breach?” the attackers wrote in Wednesday’s Internet Archive pop-up message. “It just happened. I see 31 million of you on HIBP!
In addition to the site breach and destruction, Internet Archive has been dealing with a wave of distributed denial-of-service attacks that have intermittently disrupted its services.
Internet Archive founder Brewster Kahle provided a public update Wednesday afternoon in a post on social network X. “What we know: DDOS attack – defended for now; defacing our website via the JS library; breach of salt-encrypted usernames/email/passwords. What we have done: Disabled the JS library, cleaned the systems and updated the security. We will share more as we know it.” “Scrubbing systems” refer to services that offer protection against DDoS attacks by filtering malicious junk traffic so that it cannot flood or disrupt a website.
Internet Archive has faced aggressive DDoS attacks on numerous occasions in the past, including in late May. Like Kahle wrote on Wednesday: “Yesterday’s DDOS attack on @internetarchive was repeated today. “We are working to get http://archive.org back online.” The hacktivist group known as “BlackMeta” claimed responsibility for this week’s DDoS attacks and said it plans to carry out more against Internet Archive. Still, the perpetrator of the data breach is not yet known.
The Internet Archive has faced battles on many fronts in recent months. In addition to repeated DDoS attacks, the organization is also facing increasing legal challenges. He recently lost an appeal in Hachette v. Internet Archivea lawsuit brought by book publishers, who argued that their digital lending library violated copyright law. Now, it faces an existential threat in the form of another copyright lawsuit, this time by record labels, which may result in damages exceeding$621 million if the court rules against the file.
HIBP’s Hunt says he first received the stolen Internet Archive data on September 30, reviewed it on October 5, and warned the organization about it on October 6. He says the group confirmed the breach to him the next day and that it planned to upload the data to HIBP and will notify its subscribers about the breach on Wednesday. “They get defaced and suffer DDoS attacks, just as data is uploaded to HIBP,” Hunt wrote. “The timing of the last point appears to be entirely a coincidence.”
Hunt also added that while he encouraged the group to publicly disclose the data breach before the HIBP notices went out, extenuating circumstances may explain the delay.
“Obviously I would have liked to see that reveal much sooner, but understanding how attacked they are, I think everyone should be more tolerant,” Hunt wrote. “They are a nonprofit that does great work and provides a service that many of us rely heavily on.”
