Bobby Boucher
Hackers have breached the Internet Archive’s systems, compromising sensitive information and launching a large-scale Distributed Denial of Service (DDoS) attack. The attack has exposed 31 million user credentials, including hashed passwords. While it remains unclear whether the data breach and the DDoS attack are connected, early signs suggest that a single threat actor may be responsible for both incidents.
Unfolding the Internet Archive Hack
The first indication of the breach came directly from the Internet Archive’s website, where visitors were greeted with an unusual JavaScript popup alert:
“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!”
This message hinted at the scale of the hack, referencing “HIBP,” the Have I Been Pwned (HIBP) data breach notification service. According to Troy Hunt, the founder of HIBP, the hacker provided him with a 6.4GB database days before the public announcement. In an interview with Bleeping Computer, Hunt confirmed the database contained personal information from registered Internet Archive users, including “email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data.” The database, which Hunt verified as genuine, indicates that the breach occurred on September 18.
As a result, users will soon be able to check if their data was exposed via HIBP. The database holds approximately 31 million records, which include sensitive authentication details of the Internet Archive’s registered users.
Expert Insights Into the Breach
According to Jason Meller, vice president of product at 1Password and former security strategist at Mandiant, the attackers successfully exfiltrated the Internet Archive’s backend database. “The database has been exfiltrated, indicating that the back-end infrastructure was accessible, and their pages have been defaced,” Meller stated, adding that the hackers “appear to have some control over the web content served to users.” Additionally, he noted the DDoS attack has severely disrupted the site, leading to repeated outages, suggesting the hackers have gained “dominance at the network layer.”
Despite the breach, experts have acknowledged that the Internet Archive’s use of security protocols has, to some extent, mitigated the damage. Adam Brown, managing security consultant at Black Duck, highlighted the effectiveness of Bcrypt, a secure hashing algorithm used to protect passwords. “Using Bcrypt, if implemented correctly, will prevent the extraction of passwords,” Brown explained. He emphasized that while hackers may attempt to look up common passwords, the Bcrypt hashing algorithm, when combined with salting, would make it much more challenging for them to succeed. However, Brown also pointed to potential security gaps in the system, noting, “we can assume there is likely lacking or misconfigured security controls around access to [the database].”
The Challenge of Securing Internet History
The Internet Archive, which holds decades of web history, is a critical resource. But as Jake Moore, global cybersecurity advisor with ESET, pointed out, the very nature of the data it stores makes it an attractive target. “Hacking the past is usually technically impossible, but this data breach is the closest we may ever come to it,” Moore commented, emphasizing that while the passwords were encrypted, the dataset also included other personal information.
Moore issued a stark reminder about password security, warning that “even encrypted passwords can be cross-referenced against previous uses of the same password.” He urged users to ensure that all their passwords are unique, as reusing old passwords could still leave them vulnerable to attacks.
Internet Archive’s Response and Suspected Motivations
Brewster Kahle, a digital librarian and founder of the Internet Archive, addressed the breach in a public statement on X (formerly Twitter):
“What we know: DDOS attack–fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords. What we’ve done: Disabled the JS library, scrubbing systems, upgrading security. Will share more as we know it.”
While the identity of the hacker behind the data breach remains unconfirmed, some cybersecurity experts suggest political motivations may be at play. Donny Chong, a director at Nexusguard, noted that “Distributed Denial-of-Service attacks often suggest political motives.” In this case, the pro-Palestinian hacktivist group Black Meta has claimed responsibility for the DDoS attacks, though they have not yet taken credit for the data breach itself.
Comments