Those who visited the Internet Archive on the night of October 9th were met with an unexpected pop-up message—the Archive had suffered from a “catastrophic data breach” that exposed the login credentials of 31 million users. Archive founder Brewster Kahle has since disclosed the breach. All Internet Archive users should reset their password and update any accounts that share their Archive login details.
Email addresses, usernames, Bcrypt-hased passwords, password change timestamps, and other internal user data were exposed in this breach. Troy Hunt of Have I Been Pwned received the breached data on September 30th and began coordinating a disclosure notice with the Archive on October 7th.
Have I Been Pwned is a service that collects breached data and notifies individuals when their information is compromised. The pop-up message that graced the Internet Archive on October 9th made reference to Have I Been Pwned while taunting victims.
“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!”
The pop-up message, seen above, was injected through a hijacked Archive subdomain—it was not placed there by the Internet Archive. Evidently, the hackers behind this breach were frustrated by the lack of a public disclosure (which was in the process of going out on the night of October 9th) and took it upon themselves to announce that user data had been compromised.
The Archive is also suffering from an aggressive days-long DDoS campaign. Hacker group SN_Blackmeta has taken responsibility for the DDoS attacks, which are expected to continue throughout the week. SN_Blackmeta has attacked several websites and services throughout the last year as a means of protesting the Israel-Gaza war. However, this group does not appear to be responsible for the Archive data breach. The only evidence to suggest the group’s involvement in the breach is the timing of its DDoS attacks.
Now’s the time to reset the password on your Internet Archive account (though the site won’t load while it’s being hit by a DDoS attack). Any accounts that share the email address and password of your Internet Archive login may also be compromised and should be reset. HIBP states that 54% of the accounts exposed in this breach were already compromised in previous data breaches, meaning that over half of all Internet Archive users are reusing their login credentials across multiple websites and apps—please, get a password manager and stop reusing your login credentials.
Source: Archive.org via Troy Hunt