Internet Archive
Internet Archive's Wayback Machine suffers a catastrophic breach; hackers steal ...
In a shocking turn of events, the Internet Archive's Wayback Machine has fallen victim to a massive data breach. Hackers compromised the website, stealing a user authentication database containing 31 million unique records. This alarming incident has raised serious concerns about the security of one of the internet's most cherished repositories.
### Breach Unveiled
On Wednesday afternoon, visitors to archive.org were met with an unexpected and unsettling JavaScript alert:
> _"Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!"_
The message was a stark announcement from the hackers themselves, indicating not only the breach but also hinting at the data's impending addition to Have I Been Pwned (HIBP), a renowned data breach notification service.
### Confirmation from Have I Been Pwned
Troy Hunt, the creator of HIBP, confirmed that he received a file nine days prior containing the stolen data:
File Name: `ia_users.sql`
Size: `6.4GB SQL file`
Contents: `Email addresses, screen names, password change timestamps, bcrypt-hashed passwords, and other internal data`.
Unique Email Addresses: `31 million`
Hunt verified the data's authenticity by matching it with known user accounts, including that of cybersecurity researcher Scott Helme. Helme confirmed that the bcrypt-hashed password in the database matched his own records.
### Internet Archive's Response
Later that evening, Brewster Kahle, founder of the Internet Archive, acknowledged the breach on X (formerly Twitter):
> _"What we know: DDoS attack—fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords. What we've done: Disabled the JS library, scrubbing systems, upgrading security. Will share more as we know it."_
In addition to the data breach, the Internet Archive suffered a Distributed Denial of Service (DDoS) attack, causing significant downtime and accessibility issues for users worldwide.
### Attackers: BlackMeta Hacktivist Group
An account on X named SN_Blackmeta claimed responsibility for the attack. The group has a history of targeting the Internet Archive, with previous DDoS attacks reported in May. They indicated plans for additional attacks, stating they act "just because they can," without any explicit demands or statements.
### Timeline of Events
September 28th, 2024: Most recent timestamp in the stolen data, likely when the database was compromised.
October 6th, 2024: Troy Hunt contacts the Internet Archive, initiating a disclosure process.
October 9th, 2024: The Internet Archive's website is defaced and subjected to a DDoS attack while HIBP prepares to notify affected users.
### Implications for Users
The stolen data includes sensitive information:
Email Addresses
Screen Names
Password Change Timestamps
Bcrypt-Hashed Passwords
Although bcrypt is a strong hashing algorithm, the exposure of hashed passwords poses a risk, especially if users have weak passwords or reuse passwords across multiple sites.
### What You Should Do
If you have an account with the Internet Archive:
- 1. Change Your Password Immediately: Choose a strong, unique password.
- 2. Enable Two-Factor Authentication (2FA): If available, add an extra layer of security.
- 3. Monitor Your Accounts: Be vigilant for any suspicious activity on your email and other online services.
- 4. Check Have I Been Pwned: Visit haveibeenpwned.com to see if your email has been compromised in this or other breaches.
### Technical Analysis
Breach Vector
While the exact method of the breach remains unknown, the attackers managed to:
Compromise a JavaScript Library: Used to deface the website and display the alert message.
Access the User Authentication Database: Extracting sensitive user data.
### Data Protection Measures
The passwords were stored using bcrypt hashing, which is considered secure due to its computational difficulty. However, given enough time and resources, especially with weak passwords, hashed passwords can potentially be cracked.
### Security Challenges
The breach highlights potential vulnerabilities:
Third-Party Libraries: Compromised JavaScript libraries can be an attack vector.
Delayed Response: The Internet Archive's lack of immediate communication may have exacerbated the situation.
### Official Statements
Jason Scott, an archivist at the Internet Archive, noted on Mastodon:
> _"According to their Twitter, they're doing it just to do it. Just because they can. No statement, no idea, no demands."_
Brewster Kahle assured users that steps are being taken to enhance security and that more information will be shared as it becomes available.