Internet Archive hacked, data breach impacts 31 million users

[thumbtak]

Update on 10/20/24 added to the bottom of this article.

Internet Archive’s “The Wayback Machine” has suffered a data breach after a threat actor compromised the website and stole a user authentication database containing 31 million unique records.

News of the breach began circulating Wednesday afternoon after visitors to archive.org began seeing a JavaScript alert created by the hacker, stating that the Internet Archive was breached.

“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!,” reads a JavaScript alert shown on the compromised archive.org site.

JavaScript alert shown on Archive.org
Source: BleepingComputer

The text “HIBP” refers to the Have I Been Pwned data breach notification service created by Troy Hunt, with whom threat actors commonly share stolen data to be added to the service.

Hunt told BleepingComputer that the threat actor shared the Internet Archive’s authentication database nine days ago and it is a 6.4GB SQL file named “ia_users.sql.” The database contains authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data.

The most recent timestamp on the stolen records is September 28th, 2024, likely when the database was stolen.

Hunt says there are 31 million unique email addresses in the database, with many subscribed to the HIBP data breach notification service. The data will soon be added to HIBP, allowing users to enter their email and confirm if their data was exposed in this breach.

The data was confirmed to be real after Hunt contacted users listed in the databases, including cybersecurity researcher Scott Helme, who permitted BleepingComputer to share his exposed record.

9887370, internetarchive@scotthelme.co.uk,$2a$10$Bho2e2ptPnFRJyJKIn5BiehIDiEwhjfMZFVRM9fRCarKXkemA3PxuScottHelme,2020-06-25,2020-06-25,internetarchive@scotthelme.co.uk,2020-06-25 13:22:52.7608520,\N0\N\N@scotthelme\N\N\N

Helme confirmed that the bcrypt-hashed password in the data record matched the brcrypt-hashed password stored in his password manager. He also confirmed that the timestamp in the database record matched the date when he last changed the password in his password manager.

Hunt says he contacted the Internet Archive three days ago and began a disclosure process, stating that the data would be loaded into the service in 72 hours, but he has not heard back since.

It is not known how the threat actors breached the Internet Archive and if any other data was stolen.

Earlier today, the Internet Archive suffered a DDoS attack, which has now been claimed by the BlackMeta hacktivist group, who says they will be conducting additional attacks.

BleepingComputer contacted the Internet Archive with questions about the attack, but no response was immediately available.

Update 10/10/24: Internet Archive founder Brewster Kahle shared an update on X last night, confirming the data breach and stating that the threat actor used a JavaScript library to show the alerts to visitors.

“What we know: DDOS attacked-fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords,” reads a first status update tweeted last night.

“What we’ve done: Disabled the JS library, scrubbing systems, upgrading security.”

A second update shared this morning states that DDoS attacks have resumed, taking archive.org and openlibrary.org offline again.

While the Internet Archive is facing both a data breach and DDoS attacks at the same, it is not believed that the two attacks are connected.

Update 10/20/24: The Internet Archive was breached again, this time with the threat actors gaining access to their Zendesk support email system.

BleepingComputer has published a detailed story on how they breached Internet Archive and stole the member data in this article: Internet Archive breached again through stolen access tokens.

Quoted from: https://www.bleepingcomputer.com/news/security/internet-archive-hacked-data-breach-impacts-31-million-users/

• This topic was modified 4 days, 1 hour ago by thumbtak. Reason: Removed a duplicated picture

[thumbtak]

The Internet Archive, home of the Wayback Machine, suffered a massive data breach impacting an estimated 31 million users. The breach included a JavaScript alert on October 9th, warning users about the security incident. The hackers had access to users’ email addresses, screen names, timestamps of password changes, bcrypt hashed passwords, and internal data. The SQL database stolen weighs 6.4 GB. The most recent password change timestamp in the leak was September 28th, 2024, suggesting the hackers were in the systems for weeks before the breach was announced.

Despite being aware of the breach, the Internet Archive team failed to change many of the API keys and tokens, allowing hackers to access 800,000+ support tickets. The hackers claim to have stolen 7 terabytes of additional data, but this hasn’t been confirmed publicly. The motive behind the hack is unclear, but speculation suggests it could be related to copyright infringement lawsuits against the Internet Archive. The hackers found an exposed GitLab configuration file since December 2022, which allowed them to download the Internet Archive’s source code and steal credentials to the database management system.

[thumbtak]

[Author]

Posts