Hackers have compromised the Internet’s past
Hackers have compromised the Internet’s past, the Internet Archive’s Wayback Machine, stealing 31 million passwords and launching a massive Distributed Denial of Service attack in the process. It is unclear if the two security incidents, the compromise of the Internet Archive’s authentication database containing registered member details, including hashed passwords, and the denial of service attack, are related. However, the evidence does seem to be pointing in the direction of this being a targeted attack by the same threat actor.
What We Know About The Internet Archive Hack
The first clue that something was wrong came from the service itself, with the display of a JavaScript alert popup for visitors to the archive.org site which read:
“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!”
Troy Hunt, the founder of the Have I Been Pwned data breach notification service referenced in the hacker’s note, told Bleeping Computer, the first to report on the news, that the threat actor had shared a 6.4GB database with them some days ago. This authentication database, which appears to be genuine and from the Internet Archive, contained “authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data,” Hunt told Bleeping Computer founder and editor Lawrence Abrams.
The last timestamp in that database gives a clue as to when the breach occurred, September 18. According to Hunt, there are 31 million records in the database which will be added to the HIBP service soon so as to enable people to see if their data has been exposed by this attack.
Hacking Internet History
“Hacking the past is usually technically impossible but this data breach is the closest we may ever come to it,” Jake Moore, global cybersecurity advisor with ESET, said, “the stolen dataset includes personal information but at least the stolen passwords are encrypted.”
Moore warns that even encrypted passwords can be cross-referenced against previous uses of the same password, so “it’s a good reminder to make sure all your passwords are unique.”
Brewster Kahle, a digital librarian and group chair at the Internet Archive, posted a statement on X that said:
“What we know: DDOS attack–fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords. What we’ve done: Disabled the JS library, scrubbing systems, upgrading security. Will share more as we know it.”
This is a developing story and will be updated as more information is forthcoming.
