The Internet Archive, known for preserving vast amounts of web content, revealed a major security incident this week involving the data of 31 million user accounts. The breach came to light after a message appeared on the site’s homepage, notifying visitors of the attack with a blunt warning: “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of a catastrophic security breach? It just happened. See 31 million of you on HIBP!”
Sensitive User Data Compromised
Hackers obtained sensitive information, including email addresses, usernames, and encrypted passwords. The stolen data, amounting to 6.4GB, was verified by Troy Hunt, a well-known security researcher behind the Have I Been Pwned (HIBP) website. Hunt, who received the data on September 30, confirmed its authenticity and alerted the Internet Archive on October 6. The breach was officially acknowledged by the organization a day later.
UPDATE ⬇️ https://t.co/Sl9oQsKaSO
— Internet Archive (@internetarchive) October 10, 2024
Hunt’s analysis revealed that over half of the affected accounts had already been compromised in past breaches, highlighting ongoing challenges with online security. The compromised information also included details about password changes, indicating that hackers had gained access to more than just basic user credentials.
DDoS Attacks Amplify the Chaos
As the organization worked to handle the breach, a wave of distributed denial-of-service (DDoS) attacks added to the chaos. The Internet Archive’s founder, Brewster Kahle, confirmed that multiple DDoS attempts had hit the site around the same time as the breach.
An entity called BlackMeta took credit for these attacks, which disrupted access to the archive’s resources. BlackMeta, known for targeting the site in May, announced plans for further attacks, exacerbating the crisis.
The DDoS campaign included exploiting a vulnerability in a JavaScript library used by the archive. This allowed the attackers to deface the site, leading the organization to disable the compromised library and begin a thorough cleanup of its systems.
Legal Troubles Mount for the Nonprofit
The timing of the breach couldn’t be worse for the Internet Archive, as it’s already facing serious legal issues. Recently, a court ruled against the nonprofit in a case brought by publishers over digital lending practices, raising concerns about the archive’s financial stability. Additionally, a lawsuit from music labels could result in over $600 million in damages, putting the future of the organization at risk.
With these lawsuits hanging over its head, the breach adds another layer of complications for an entity that plays a key role in preserving internet history. The nonprofit’s dual challenges—legal and technical—threaten to disrupt its mission and impact millions of users who rely on its services.
Hunt Calls for Understanding Amid Security Failures
Troy Hunt noted that while he had urged the Internet Archive to disclose the breach sooner, he acknowledged the difficulties they faced given the onslaught of DDoS attacks. Hunt proceeded to load the compromised data into HIBP, enabling affected users to verify if their accounts were exposed. He emphasized that the organization’s nonprofit nature and its role in web preservation should be considered when evaluating its response to the breach.
Obviously I would have liked to see that disclosure much earlier, but understanding how under attack they are I think everyone should cut them some slack. They’re a non-profit doing great work and providing a service that so many of us rely heavily on.
— Troy Hunt (@troyhunt) October 9, 2024
Users of the Internet Archive are advised to change their passwords and keep an eye on account activity for any unusual behavior. Meanwhile, the organization continues its efforts to stabilize the situation and prevent further attacks, navigating a turbulent period of both technical and legal turmoil.
Last Updated on November 7, 2024 2:36 pm CET