The Internet Archive has recently experienced a significant cyberattack, resulting in the theft of 31 million user accounts and subsequent distributed denial-of-service (DDoS) attacks that have disrupted its services. It seems like they’ve been finally able to bring back some of the functionality of the site online, but in limited forms:
Today the hacker sent out a mass email to a subset of people who had a support ticket with the Internet Archive going back to as early as 2018. The hacker claims that they have access to some 800,000+ support tickets and whatever information was shared in those. One version of the email looks like this:
It’s dispiriting to see that even after being made aware of the breach 2 weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets.
As demonstrated by this message, this includes a Zendesk token with perms to access 800K+ support tickets sent to info@archive.org since 2018.
Whether you were trying to ask a general question, or requesting the removal of your site from the Wayback Machine—your data is now in the hands of some random guy. If not me, it’d be someone else.
Here’s hoping that they’ll get their shit together now.
And comes directly from the The Internet Archive Team (Internet Archive) at email address support@archivesupport.zendesk.com.
In the email, the hacker alleges that the Internet Archive failed to rotate API keys exposed in the initial breach, leaving them vulnerable to further exploitation. This allowed the hacker to obtain a Zendesk token granting access to a vast trove of sensitive user data, including names, email addresses, and the content of support requests.
“It’s dispiriting to see that even after being made aware of the breach 2 weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets,” the email reads. “As demonstrated by this message, this includes a Zendesk token with perms to access 800K+ support tickets sent to info@archive.org since 2018.”
The hacker’s message emphasizes the sensitivity of the compromised data, which includes everything from general inquiries to requests for website removal from the Wayback Machine. “Whether you were asking a general question or requesting that your site be removed from the Wayback Machine, your data is now in the hands of a random individual. If it wasn’t me, it would be someone else.” This situation raises significant concerns about the Internet Archive’s security measures and its ability to protect user data. The organization has not yet released a public statement regarding this recent claim.
Here’s a screenshot of the email with some identifying information redacted:
Summary Of The Hack
- A major data breach exposed 31 million unique user records.
- The breach was confirmed by Troy Hunt, creator of Have I Been Pwned (HIBP).
- The Internet Archive has faced ongoing DDoS attacks since the breach.
The Internet Archive, a non-profit organization well-known for its digital library and the Wayback Machine, recently experienced a serious data breach that compromised the information of 31 million users. News of this significant incident broke on October 9, 2024, when alarming JavaScript alerts began appearing on the site, directly from the attackers. The pop-up message read:
“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!”
This bizarrely humorous yet concerning message hinted at the scale of the breach and directed users to the Have I Been Pwned (HIBP) service, an online tool designed to help individuals check if their personal details have been compromised in data leaks.
The compromised database, which spans 6.4 GB, includes vital authentication records such as user email addresses, screen names, password change timestamps, and Bcrypt-hashed passwords. This information is critical for registered users of the Internet Archive, and its exposure poses grave concerns over privacy and security.
Troy Hunt, the operator of HIBP, validated the incident, stating that he received the compromised database on September 30. In subsequent communication, Hunt highlighted that the breach appeared to have occurred 9 days before the public announcement. This breach was particularly notable as it contained numerous accounts already flagged in prior data leaks, with around 54% of the records exposed via HIBP previously compromised.
Hunt remarked:
“The timing on the last point seems to be entirely coincidental.”
This suggests that the Internet Archive was hit by multiple threats, and the DDoS attacks that followed may not directly relate to the data breach itself. Nonetheless, these attacks significantly destabilized the Archive’s services.
Following the initial reports of the data breach, users sought confirmation from the Internet Archive, which had been relatively quiet. However, Brewster Kahle, the founder and digital librarian at the Internet Archive, eventually tweeted updates confirming the breach. He explained that the attack included a DDoS component:
“What we know: DDOS attacked—fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords.”
As the incidents escalated, Kahle detailed the steps the organization was taking, such as disabling the exploited JavaScript library, enhancing security measures, and conducting a thorough system audit. Despite these actions, further DDoS attacks persisted, preventing users from accessing the website for extended periods. The DDoS attacks, claimed by a group called BlackMeta, have intensified the turmoil surrounding the Internet Archive.
In one of their updates, Kahle noted that the group had publicly expressed its intention to disrupt the Archive’s operations again, stating that their goal was to draw attention to global issues, particularly the plight of people in Palestine.
This ongoing series of attacks raises the question: Why has the Internet Archive, a non-profit digital library that provides access to numerous informational resources, become such a target? Some speculate that its vital role as a major public resource has made it an attractive target for those seeking to control digital narratives. Hacking databases can severely damage reputational trust, especially when attackers have malicious intentions.
Cybersecurity experts have commented on the state of the Internet Archive following these attacks. Jake Moore, a global cybersecurity advisor at ESET, emphasized the importance of having strong and unique passwords.
“It’s a good reminder to make sure all your passwords are unique as even encrypted passwords can be cross-referenced against previous uses of it.”
The ramifications for users are serious, as registered members will need to change their passwords once the service is restored. Meanwhile, the process of securing data systems continues as the threatened organization maneuvers through these crises.
As of now, concerns remain about whether additional sensitive data was compromised. No further details have emerged regarding how the attackers initially gained access to the Internet Archive’s systems. Without a clear understanding of the breach’s mechanics, the organization faces a daunting task of shoring up defenses against future threats.
In light of these stark realities, awareness surrounding the vulnerabilities of online databases continues to grow. The incident serves as a reminder of the inherent risks involved in storing personal information on shared platforms, regardless of their reputable standing. In recent months, cyberattacks generally have become more frequent and complex, complicating the landscape for non-profits like the Internet Archive.
Responding to Cyber Threats
As the Internet Archive recovers from recent attacks, attention turns to measures that can enhance cybersecurity. Implementing strict privacy protocols and educating users about creating strong passwords through workshops or webinars can help build trust and security. These measures are vital not only for the Internet Archive but for all platforms that store personal data.A better understanding of the tactics used by attackers can assist organizations in strengthening their defenses. For example, actively monitoring network traffic and using advanced security tools that adapt to new threats can help protect against vulnerabilities.
The notable increase in DDoS activity—reported to have risen by as much as 43% this year—underscores the importance of vigilance against potential attacks that could disrupt access or compromise data integrity.It is essential for both users and providers to collaborate in advocating for robust cybersecurity frameworks that prioritize user safety and data integrity. The immediate recovery of the Internet Archive may require additional resources, innovation, and community support, which are critical for protecting invaluable digital history against future threats.
These alarming incidents not only reveal the organization’s vulnerabilities but also raise broader concerns for digital libraries and similar institutions. As online resources face growing threats, initiatives aimed at strengthening data security are crucial to safeguarding vital information. While recovery efforts are ongoing, a collective challenge remains: how can we protect our digital treasures and create a safer online environment for future generations?