Internet Archive's "Wayback Machine" experiences major data breach affecting 31 million users

The Internet Archive, a non-profit digital library renowned for its "Wayback Machine," has reportedly suffered a significant data breach, with a threat actor compromising the site and stealing an authentication database containing 31 million unique user records. This alarming news began circulating on Wednesday afternoon when users visiting archive.org encountered a JavaScript alert created by the hacker, notifying them of the breach.

 

The alert provocatively stated, "Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!" "HIBP" refers to the Have I Been Pwned service, a data breach notification platform established by cybersecurity expert Troy Hunt. Threat actors often use this service to share stolen data.

 

According to Hunt, the threat actor shared the Internet Archive’s authentication database approximately nine days ago. This database is a substantial 6.4GB SQL file named "ia_users.sql," containing crucial authentication information for registered members. This includes email addresses, screen names, password change timestamps, bcrypt-hashed passwords, and other internal data. The last timestamp on the stolen records is dated September 28, 2024, indicating when the database was likely exfiltrated.

 

Hunt reported that the database includes 31 million unique email addresses, many of which are subscribers to the HIBP notification service. The stolen data is set to be uploaded to HIBP, enabling users to check if their information has been compromised.

 

The validity of the breached data was confirmed when Hunt reached out to users listed in the database. Cybersecurity researcher Scott Helme confirmed that his bcrypt-hashed password matched the one stored in his password manager, and the timestamp in the database reflected the date he last changed his password.

 

Hunt mentioned that he initiated a disclosure process with the Internet Archive three days before the breach became public, indicating that the stolen data would be added to HIBP within 72 hours. However, he has yet to receive any communication from the Internet Archive.

 

As investigations into the breach continue, the method by which the threat actors accessed the Internet Archive remains unclear. It is also unknown if any additional sensitive data was compromised during the breach.

 

Compounding the situation, the Internet Archive reported experiencing a Distributed Denial of Service (DDoS) attack earlier today, claimed by the hacktivist group BlackMeta. This group has announced plans for further attacks.