The Internet Archive, best known for its “Wayback Machine,” has suffered a major data breach, compromising the user authentication database of 31 million registered users. News of the breach surfaced when visitors to archive.org encountered a JavaScript alert stating that the Internet Archive had been breached.
The message read: “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!” The reference to HIBP refers to the “Have I Been Pwned” data breach notification service, which later confirmed the inclusion of the Internet Archive’s compromised data.
According to HIBP’s founder, Troy Hunt, the hacker provided the Internet Archive’s authentication database to him, which included user email addresses, screen names, bcrypt-hashed passwords, and other internal data. The most recent timestamp on the stolen records suggests the breach occurred on September 28, 2024. Hunt attempted to notify the Internet Archive three days before adding the data to HIBP but did not receive a response.
Further complicating the situation, the Internet Archive also suffered a DDoS attack, claimed by the BlackMeta hacktivist group. Internet Archive founder Brewster Kahle confirmed the attack, stating that the site had faced a defacement involving the use of a JavaScript library and that steps were being taken to secure their systems.
In an additional twist, a pro-Palestinian hacktivist group has also claimed responsibility for both compromising the login information of users and launching a sustained DDoS attack on the Internet Archive, further heightening concerns about the security and stability of one of the world’s largest digital archives. Brewster Kahle’s posts on X (formerly Twitter) reflected his frustration, stating, “DDOS on a Tuesday? Last time it was a Monday.” The attacks have since taken the Archive offline intermittently, with ongoing efforts to restore access.
Troy Hunt shared a timeline of the breach, noting that he received the compromised data on September 30 but was initially unaware of its significance. After realizing the scope of the data on October 5, Hunt contacted the Internet Archive, advising them of the planned addition of the data to the HIBP database within 72 hours, but received no response.
Users of the Internet Archive are advised to change their passwords immediately. Those who have accounts are encouraged to check whether their email addresses were involved in the breach via the “Have I Been Pwned” service.
Sources include: BleepingComputer, TechCrunch, Vice, and posts on X (formerly Twitter) by Brewster Kahle and Troy Hunt.