Massive Breach at Internet Archive's Wayback Machine - Millions of user records compromised

Ashwin
Oct 10, 2024
Security
|
15

The Internet Archive has been hacked. The data breach has resulted in the theft of credentials of 31 million users.

Good to know: The Internet Archive is a non-profit organization that aims to preserve content that would otherwise be lost forever. Google's started to add links to the archive in Google Search.

Internet Archive's Wayback Machine hacked, and user data stolen

Users who visited The Wayback Machine yesterday were greeted by a message on the website which read as follows: "Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!

(Image credit: BleepingComputer)

For those unaware, HIBP refers to the popular website, Have I Been Pawned. BleepingComputer reports that Troy Hunt, who created HIBP told the blog that the attackers had shared the stolen authentication database with the breach notification service 9 days ago.

The Internet Archive was notified 3 days ago by Hunt, by the San Francisco based non-profit did not respond to him. You can visit https://haveibeenpwned.com/ to check if your email address has been leaked by the Internet Archive data breach.

The data that has been compromised includes the email addresses, usernames, password change timestamps, etc. But, I wouldn't panic just yet, I mean reset your password if you want to. But it appears the passwords were not stolen, because the report only mentions Bcrypt-hashed passwords (one-way salted passwords) were compromised, which was later confirmed by cybersecurity researcher Scott Helme.

Still, the stolen records number 31 million unique email addresses, so that is a bit of a bother.  Actually, this is the perfect time to illustrate the importance of using email alias services like Simple Login, Firefox Relay, DuckDuckGo's Email Protection, etc. These services, many of which are free (with optional premium tiers), hide your real email address and give you an alias, thus making you anonymous from spam or hacks. Any emails that are sent to the alias are sent to your real email's inbox, without the sender knowing anything about it.

It is unclear how the Internet Archive was breached by the attackers. The website suffered a DDoS attack by the BlackMeta hacktivist group, which bragged that it had been doing so for over 5 hours, and that it would keep conducting the attacks. For what it's worth, the website seems fine now.

On a side note, the Internet Archive lost its legal battle against Hachette, when the US Court of Appeals for the Second Circuit ruled that the digital archive violated copyright law. The Internet Archive had appealed that its lending library adhered by the fair use doctrine that allows copyright infringement in certain scenarios. The court rejected the argument. (via Wired)

Here's some context, the Internet Archive's National Emergency Library aided many people, including students during the COVID-19 pandemic, when they could not access books. They could use the Open Library to access scanned versions of physical books. This however raised concerns among publishers, who criticized it as piracy of copyrighted material, and soon filed a lawsuit against the Internet Archive. Unsurprisingly, the Internet Archive lost the case, but the court did recognize it as a non-profit operation.

That's why this data breach doesn't make sense to me. Do you remember when a ransomware gang targeted a hospital? The Internet Archive is a non-profit organization, it is essentially a public service. What point are the hackers trying to prove? If they found the security of the site to be terrible, why not just alert them or help fix the problems? Of course, there is the fact that user data was taken, which could potentially be used could use for cross-checking and breaching other services. But still, it's an unusual attack because the usual targets are businesses.

Summary
Article Name
Massive Breach at Internet Archive's Wayback Machine - Millions of user records compromised
Description
Personal data of 31 Million Internet Archive users were stolen in a data breach.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Linux said on October 14, 2024 at 6:18 pm
    Reply

    Install Gentoo.

  2. Ms Turd said on October 12, 2024 at 11:00 am
    Reply

    Oh no, now they got my throwaway shitmail address I use for everything that has zero value to me. You know that mail, when you bother to check it once a year and it’s got 300 million IMPORTANT mails you have to click on right away! Deals to be made and ladies to satisfy! They even offer to double the size of your penis! FOR FREE!!!!! And I’m a woman!!! I don’t know how I will ever recover from this if I lose that mail address. I am also very weird, because my shitmail password is very unique and only used on that email. What can we learn from this? Everybody needs a shitmail address.

  3. anonymous said on October 11, 2024 at 3:01 am
    Reply

    Perhaps this hack was used to erase archives they do not want you to see?

    1. truth said on October 23, 2024 at 7:11 pm
      Reply

      This is worth thinking about.

  4. zork said on October 11, 2024 at 12:26 am
    Reply

    A nothingburger. P/Ws not compromised, and even if they were, it’s not like this is your bank account. I use a very old yahoo address for sign-ups like this. If some hacker gets the address, no problem, yahoo has quite effective spam filtering and there’s not much else they can do with it.

  5. John said on October 10, 2024 at 2:48 pm
    Reply

    Seems pretty clear any entity connected to the internet is never 100% safe. It’s a hackers dream to have all this personal information available to them when they manage to find that weak link in the chain.

  6. TelV said on October 10, 2024 at 2:30 pm
    Reply

    Just checked my old p/w for my Microsoft a/c which I haven’t used for several years, decades even (!) and it appears on the “Have I been pwned site” as being compromised.

    But what a hassle to change your p/w on the old Hotmail site which has been switched to Outlook.com. Instructions around the web don’t align properly because the sequence to achieve that goal has been changed and it’s just pretty much an exercise in futility now. I had to use the old “forgot password” option and then use the 25 alpha/numeric recovery code (which was changed several times during the procedure) and even then you have to jump through several hoops just to perform that simple task.

    In addition to that M$ tries to persuade you to part with even more of your privacy and to use AI and agree to all the rest of their data collection options into the bargain. I managed avoid most of it, but it took me almost two hours before the light at the end of the tunnel appeared.

    1. TelV said on October 10, 2024 at 5:42 pm
      Reply

      Hmmm… I saw all those screens shown in this Bleeping Computer article regarding a nefarious app called Mamba 2FA bypass when I changed my Microsoft account password earlier today: https://www.bleepingcomputer.com/news/security/new-mamba-2fa-bypass-service-targets-microsoft-365-accounts/

      I assume though that hackers will still need the 25 alpha/numeric code that I received from Microsoft to do any damage. Not that I’m a rich man by any means.

  7. Bobo said on October 10, 2024 at 10:19 am
    Reply

    “Any emails that are sent to the alias are sent to your real email’s inbox” Wow, that’s not really optimal is it?

    1. Anonymous said on October 11, 2024 at 5:03 am
      Reply

      It is, because that’s exactly what you use an email-alias service for.
      If you don’t want to receive ANY mails, just enter a totally fake (but existing) email.
      If you just want to receive the 1st mail any nothing every after, use something like guerilla mail.
      There is nothing like “only forwards good mails” (and there even can’t be, because this kind of decision problem is equivalent to Turing’s halting problem and thus can’t be computationally solved. BTW, for the same reason, malware scanners can never perfectly detect malware, because that’s even theoretically impossible and also equivalent to Turing’s halting problem).

      To get more practical: just imaging your postman, arbitrarily throwing away your mail as he deems fitting, by discarding/burning all your mail that he deems “not good” and only delivering those he deems “valid”.
      I’m pretty sure you don’t want something like that, especially not, if a crucial mail has been lost for the nth time and you are, as a result of your non-action, being litigated, fined or even apprehended for not properly responding (eg if he classified all your invoices or court orders as spam and never delivered them).

      1. Bobo said on October 12, 2024 at 11:04 am
        Reply

        Wow, what a long useless rant. If I use a fake or alias email address anywhere, I sure as hell do not want anything from that being sent to my real email.

      2. Anonymous said on October 12, 2024 at 5:50 pm
        Reply

        If you don’t want anything sent to your real email address, then you surely won’t use an alias email service, because they relay everything to your real email. That’s how these services work. You seem to be totally oblivious, of how they work and what they are good for.

      3. Not bobo said on October 23, 2024 at 7:14 pm
        Reply

        Thank you for explaining. Some people don’t want to be helped!

  8. John G. said on October 10, 2024 at 10:00 am
    Reply

    Internet is safe, until you give your data. Thanks @Ashwin for the article! :]

    1. Anonymous said on October 11, 2024 at 5:16 am
      Reply

      Certainly not. even if you don’t use ANY non-personalized services (this means you only use websites anonymously, without creating any account, or not at all), your hardware/computer infrastructure is still vulnerable, as long as it is connected to the internet.
      The internet is only safe, as long as you don’t connect to it. Same as with society.
      Society is only guaranteed to be perfectly safe, as long as you avoid contact with any human being in any way (be it in persona, or digitally).

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.