An illegal JavaScript pop-up on the Internet Archive announced Wednesday afternoon that the site had experienced a major data breach. Hours later, the organization confirmed the incident.
Longtime security researcher Troy Hunt, who runs the data breach notification website, Have I Been Pwned (HIBP) also confirmed that the breach is legitimate. He said it happened in September and that the stolen trove contained 31 million unique email addresses and usernames, bcrypt password hashes, and other system data. Bleeping Computer, which first reported the breach, also confirmed the authenticity of the data.
The Internet Archive did not return multiple requests for comment from WIRED.
“Have you ever felt like the Internet Archive is running on sticks and constantly vulnerable to a catastrophic security breach?” the attackers wrote in an Internet Archive pop-up message. “It has happened. See your 31 million in HIBP!”
In addition to breaches and defacement, the Internet Archive has been experiencing a wave of distributed denial-of-service attacks that have brought down its resources.
Internet Archive founder Brewster Kahle provided a public update Wednesday evening on social media site X. “What we know: DDOS attacks—defended for now; the corruption of our website by the JS library; breach of usernames/email/passwords encrypted with salt. What we did: Blocked JS library, scraping systems, security improvements. We will share as much as we can.” “Scraping systems” refer to services that provide protection against DDoS attacks by filtering malicious malicious traffic so that it cannot flood and disrupt a website.
The Internet Archive has faced malicious DDoS attacks several times in the past, including in late May. As Kahle wrote on Wednesday: “Yesterday’s DDoS attack on @internetarchive was repeated today. We are working to restore the Internet. ” A hacktivist group known as BlackMeta claimed responsibility for the DDoS attack this week and said it plans to do more against the Internet Archive. However, the perpetrator of the data breach is currently unknown.
The Internet Archive has faced battles in many ways in recent months. In addition to repeated DDoS attacks, the organization is also facing increasing legal challenges. It just lost appeal Hachette v. Internet Archivea lawsuit brought by book publishers, who argued that their digital lending library violated copyright law. It now faces an imminent threat in the form of another copyright lawsuit, this one from the music labels, which could result in more than $621 million in damages if the court rules against the archive.
HIBP’s Hunt says he first discovered the stolen Internet Archive data on September 30, updated it on October 5, and alerted the organization about it on October 6. He says the group confirmed the breach to him the next day and said he planned to upload it. data to HIBP and notified its subscribers about the breach on Wednesday. “They are being polluted and DDoS’d, as data uploads to HIBP,” Hunt wrote. “The timing of the last point seems to be completely coincidental.”
Hunt added, too, that while he encouraged the group to publicly disclose the data breach itself before HIBP notices went out, unforeseen circumstances could explain the delay.
“Obviously I would have liked to have seen that disclosure sooner, but understanding how they are being attacked, I think everyone should cut them some slack,” Hunt wrote. “They are a non-profit organization that does great work and provides a service that many of us rely on.”
Source link
/cdn.vox-cdn.com/uploads/chorus_asset/file/25728924/STK133_BLUESKY__B.jpg?w=390&resize=390,220&ssl=1 "Bluesky now has a chat tab in your notification area")