Internet Archive Hacked, Data Breach Affects 31 Million Users

Internet Archive's “The Wayback Machine” suffered a data breach after a threat actor compromised the site and stole a user authentication database containing 31 million unique records.

News of the breach broke Wednesday afternoon after visitors to archive.org saw a JavaScript warning created by the hacker that said the Internet Archive had been breached.

“Have you ever felt like the Internet Archive is on hold, constantly on the verge of a catastrophic security breach? website.

The text “HIBP” refers to the “Have I Been Pwned” data breach notification service developed by Troy Hunt, which threat actors often use to share stolen data to add to the service.

Hunt told BleepingComputer that the threat actor shared the Internet Archive's authentication database nine days ago and that it was a 6.4GB SQL file called “ia_users.sql.” The database contains authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt hashed passwords, and other internal data.

The last timestamp of the stolen records was September 28, 2024, likely the time the database was stolen.

According to Hunt, there are 31 million unique email addresses in the database, many of which have subscribed to the HIBP data breach notification service. The data will soon be added to HIBP so users can enter their email address and confirm whether their data was exposed in this breach.

The authenticity of the data was confirmed after Hunt contacted users listed in the databases, including cybersecurity researcher Scott Helme, who allowed BleepingComputer to share its exposed datasets.

9887370, [email protected],$2a$10$Bho2e2ptPnFRJyJKIn5BiehIDiEwhjfMZFVRM9fRCarKXkemA3PxuScottHelme,2020-06-25,2020-06-25,[email protected],2020-06-25 13:22:52.7608520,\N0\N\N@scotthelme\N\N\N

Helme confirmed that the bcrypt hashed password in the record matched the brcrypt hashed password stored in his password manager. He also confirmed that the timestamp in the database record matched the date he last changed the password in his password manager.

Hunt says he contacted the Internet Archive three days ago and initiated a disclosure process, saying the data would be uploaded to the service in 72 hours, but he hasn't received a response since.

It is unknown how the threat actors broke into the Internet Archive and whether additional data was stolen.

Earlier today, the Internet Archive suffered a DDoS attack, now claimed by hacktivist group BlackMeta, who say they will be carrying out more attacks.

BleepingComputer reached out to the Internet Archive with questions about the attack, but no immediate response was available.