A Security Incident at The Internet Archive: More Than 31 Million User Accounts Exposed
Disclosed by The Internet Archive, a philanthropic digital repository renowned for its Wayback Machine, has confirmed a significant security breach affecting over 31 million users in addition to a series of distributed denial-of-service strikes.
During the afternoon of October 9, visitors to The Internet Archive site began encountering pop-up notifications stating: “Have you ever experienced the feeling that the Internet Archive is vulnerable and at risk of a massive security breach? Well, it just occurred. Find 31 million of you on HIBP!”
Termed as “Have I Been Pwned?”, HIBP is a freely available online platform that enables users to verify if their personal details have been compromised in a previous data breach.
The attackers were able to access a 6.4 GB SQL database containing login details of the Archive’s members, including email addresses, usernames, timestamps for password changes, and bcrypt-encrypted passwords, as reported by Bleeping Computer.
Nonetheless, HIBP mentions that about 54% of the compromised information was already identified on its platform as exposed in earlier breaches. The method used by the attackers to breach The Internet Archive or if they plundered additional data remains unknown.
Jake Moore, a cybersecurity consultant at ESET, conveyed in an email to TechRepublic, “Typically, altering historical records is nearly impossible, but this security compromise represents the closest we’ve ever come to it. The stolen dataset contains personal details; however, the obtained passwords are fortunately encrypted.”
He remarked, “Nevertheless, it serves as a reminder to ensure that all your passwords are distinct since even encrypted passwords might be compared against prior instances of their use.
“Have I Been Pwned is a remarkable free service that proves useful following a breach. It maintains millions of leaked usernames and passwords for users to ascertain if their credentials have ever been part of a security breach.
“If you discover your details in any known breaches, it’s advisable to modify those passwords and activate multi-factor authentication.”
Once the website is reinstated, members of The Internet Archive can update their passwords.
Sequence of events in this week’s attacks on The Internet Archive
The most recent timestamp of a password alteration in the dataset was identified as September 28, implying that this was when the breach occurred. Troy Hunt, the operator of HIBP, acknowledged that he had received the file on September 30 and confirmed its validity by cross-matching the data with a user’s account particulars.
In a post on X, Hunt disclosed that he had informed The Internet Archive of the security lapse on October 6 and would integrate the breached data into HIBP within 72 hours. Shortly after, The Internet Archive faced an independent DDoS attack, which was rapidly brought under control within one hour.
As Hunt started integrating the data into HIPB on October 9, coincidentally, the pop-up notifications emerged. By 5:30 p.m. ET, both the pop-up alerts and the website itself were deactivated, with users being shown a message stating that “services are momentarily offline” and to visit The Archive’s X account for updates.
According to archivist Jason Scott, the website was also encountering an additional DDoS assault. Kahle verified the security breach and DDoS through X shortly after 9 p.m. ET. He revealed that the pop-up notifications were inserted via its JavaScript library, which had subsequently been disabled, and that the second DDoS attack was currently being “repelled.”
EXPLORE: Fidelity Data Breach Exposes Data From 77099 Customers
However, the following day, Kahle posted an update on X stating that the DDoS attacks had reinitiated, resulting in both archive.org and openlibrary.org going offline. Presently, both sites remain inaccessible while system enhancements are underway.
BlackMeta Takes Ownership of the DDoS Attacks
BlackMeta, a hacktivist organization, announced on October 10 its involvement in the DDoS onslaught against The Internet Archive through a written statement and a video shared on X. Scott mentioned on Mastodon that “their actions seem arbitrary, driven purely by the capability to do so, without any clear agenda, demands, or rationale.”
Earlier in May, BlackMeta had publicized their act of disrupting the Archive’s services, a fact that was subsequently affirmed by Scott. It is believed that the DDoS attacks are independent of the data breach, and assurances have been made by Kahle that none of the Archive’s contents have been tampered with.
Increase in DDoS Attacks
A denial of service attack serves as a ploy exploited by malicious individuals to block genuine users from accessing a web server, web app, or cloud service by inundating it with service requests.
Unlike a regular DoS assault, a distributed denial of service attack employs numerous devices on varied networks to interfere with a specific service provider; this is more complex to counter as the assault is initiated from various origins.
As per a NETSCOUT report, there has been a surge of 43% in application-layer and 30% in volumetric DDoS attacks in the initial half of this year. The study showed that crucial sectors like banking, finance, and public services are preferred targets for maximal impact.
Recently, Cloudflare effectively thwarted a formidable DDoS assault, affirmed to be the largest ever reported.
About Author
