Cyber Blog

The Internet Archive, home to the popular Wayback Machine, has suffered a major security breach, with hackers compromising 31 million passwords and launching a large-scale Distributed Denial-of-Service (DDoS) attack. Although it’s still unclear whether the breach of user data and the DDoS attack are connected, evidence suggests both incidents may be part of a coordinated assault by the same threat actors.

What We Know So Far

The first indication of trouble came directly from the Internet Archive’s website, where visitors were greeted with an alarming pop-up message:

“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of a catastrophic security breach? It just happened. See 31 million of you on HIBP!”

Troy Hunt, the founder of the Have I Been Pwned (HIBP) data breach alert service, confirmed to Bleeping Computer that the hackers had shared a 6.4GB database containing user authentication data. According to Hunt, the stolen database appears to be genuine, containing email addresses, usernames, password change timestamps, Bcrypt-hashed passwords, and other internal records from registered users.

The most recent timestamp in the database suggests that the breach occurred on September 18, 2024. Hunt stated that the stolen records—31 million in total—will soon be added to the HIBP service, allowing affected users to verify if their data was compromised.

Attackers Gained Web and Network Control

Security experts have raised concerns about the extent of the attack. Jason Meller, vice president of product at 1Password and former security strategist at Mandiant, noted that the attackers likely had access to backend infrastructure. “The exfiltration of the database indicates backend access, and the defacement of pages suggests the attackers also had control over web content.”

Additionally, the repeated disruptions to the Internet Archive’s website imply that the attackers achieved a significant level of dominance at the network level, making it difficult to fend off the DDoS attacks effectively.

Limiting the Damage

Despite its limited resources, the Internet Archive employed some critical security practices that helped mitigate the fallout. Adam Brown, a security consultant at Black Duck, praised the use of Bcrypt to hash passwords. “Bcrypt, when implemented properly, prevents passwords from being easily extracted,” Brown explained. “While hashes for common passwords can sometimes be looked up, the use of salted hashes ensures that look-up tables won’t work in this case.”

However, the exact method the hackers used to access the SQL database remains unclear. Brown speculated that the breach could have resulted from “misconfigured or weak security controls.”

A Political Angle?

Brewster Kahle, founder of the Internet Archive, addressed the incident on X (formerly Twitter), stating:

“What we know: DDoS attack—fended off for now; website defacement via a compromised JS library; breach of usernames, emails, and salted-encrypted passwords. What we’ve done: Disabled the JS library, scrubbed systems, and are upgrading security. We’ll share more details as they become available.”

While the hackers behind the data breach remain unidentified, cybersecurity experts suggest political motives may have played a role. Donny Chong, director at Nexusguard, noted that hacktivist groups often employ DDoS attacks to make political statements. In this case, the pro-Palestinian hacktivist group Black Meta has claimed responsibility for the DDoS attack, though they have not taken credit for the data breach.

The Importance of Unique Passwords

Jake Moore, a global cybersecurity advisor at ESET, emphasized the broader implications of the stolen data. “This breach offers a rare glimpse into the idea of ‘hacking the past,’ given the Internet Archive’s role in preserving the web’s history,” Moore said. He also reminded users that even encrypted passwords, if reused across multiple sites, could put them at risk. “It’s a good reminder to ensure every password is unique.”