Internet Archive Hacked: Data of 31 Million Users Stolen

The Wayback Machine website, operated by the non-profit Internet Archive, has suffered a major data breach. Unknown attackers hacked the site and stole the user authentication database, which contains over 31 million unique records.

The breach became public on Wednesday, October 9, 2024. Visitors to archive.org were the first to notice the hack, as the attackers created a JavaScript alert directly stating that the Internet Archive had been compromised.

Hackers’ Message

The hackers’ message read: “Didn’t it ever seem like the Internet Archive was running on a wing and a prayer, always on the verge of a catastrophic security breach? That’s exactly what just happened. See you 31 million of you on HIBP.”

HIBP refers to the “Have I Been Pwned” service, which collects information about data breaches. Users can check if their information has been compromised and sign up for notifications. The service was created by cybersecurity expert Troy Hunt, and hackers often share stolen data with him to add to the HIBP database.

Details of the Breach

Troy Hunt told Bleeping Computer that nine days ago, an attacker shared the Internet Archive’s authentication database with him. The database is a 6.4 GB SQL file (ia_users.sql).

This database contains authentication information for registered users, including their email addresses, usernames, password change timestamps, bcrypt-hashed passwords, and other internal data. The most recent timestamp in the stolen records is from September 28, 2024, which is believed to be when the database was stolen.

According to Hunt, the database contains 31 million unique email addresses, and many of these users are already subscribed to breach notifications on HIBP. Hunt has contacted some individuals whose information appeared in the leak, and they confirmed the authenticity of the data.

Confirmed Compromised Accounts

One of those affected was cybersecurity expert Scott Helme, who allowed Bleeping Computer to publish his compromised record in full:

9887370, [email protected], $2a$10$Bho2e2ptPnFRJyJKIn5BiehIDiEwhjfMZFVRM9fRCarKXkemA3PxuScottHelme, 2020-06-25,2020-06-25,[email protected],2020-06-25 13:22:52.7608520,\N0\N\N@scotthelme\N\N\N

Helme confirmed that the bcrypt-hashed password matches the one stored in his password manager. He also showed that the timestamp in the database matches the date he last changed his password.

HIBP Database Updated

The dump has already been added to the HIBP database, so all users can check if their data was exposed in the Internet Archive breach. Those subscribed to breach notifications have already received alerts.

Troy Hunt said he contacted Internet Archive representatives three days ago to inform them that the stolen database would be uploaded to HIBP within 72 hours, but he has not received a response from the organization.

Unanswered Questions

It remains unclear how the attackers gained access to the Internet Archive, what their motives were, or whether any other data was stolen.

Internet Archive founder Brewster Kahle posted on X (formerly Twitter) that the site recently fended off a DDoS attack, but the JavaScript-based website defacement has now been fixed. He also stated that the Internet Archive is aware of the breach, has disabled the affected JS library, and is cleaning its systems to improve security. No further details were provided. It is still unknown whether the DDoS attack and the hack are related.