In a significant cybersecurity incident, the Wayback Machine, operated by the non-profit Internet Archive, has fallen victim to a data breach. Malicious actors successfully infiltrated the site and exfiltrated the user authentication database, compromising over 31 million unique records.
Timeline and Discovery of the Breach
The attack came to light on October 9, 2024, when visitors to archive.org encountered a JavaScript alert. This notification, crafted by the hackers, boldly declared that the Internet Archive had been compromised. The message also referenced the impending appearance of 31 million records on “HIBP,” alluding to the Have I Been Pwned service.
Scope and Nature of the Stolen Data
Troy Hunt, the creator of Have I Been Pwned, confirmed receiving a 6.4 GB SQL file (ia_users.sql) from the attacker. This file contains critical user authentication information, including:
- Email addresses
- User aliases
- Password change timestamps
- Bcrypt-hashed passwords
- Other internal data
The most recent entry in the stolen database is dated September 28, 2024, suggesting this may be when the data was exfiltrated. Hunt verified that the breach affects 31 million unique email addresses, many of which are subscribed to HIBP’s data breach notifications.
Verification and Impact
To corroborate the authenticity of the breach, Hunt reached out to individuals whose information appeared in the leaked database. One such person, security specialist Scott Helme, permitted the publication of his compromised record:
9887370, [email protected], $2a$10$Bho2e2ptPnFRJyJKIn5BiehIDiEwhjfMZFVRM9fRCarKXkemA3PxuScottHelme, 2020-06-25,2020-06-25,[email protected],2020-06-25 13:22:52.7608520,\N0\N\N@scotthelme\N\N\N
Helme confirmed that the bcrypt-hashed password matched the entry stored in his password manager, and the timestamp aligned with his last password change date.
Response and Ongoing Investigation
Internet Archive founder Brewster Kahle acknowledged the breach on social media, stating that the organization had recently mitigated a DDoS attack and removed the malicious JavaScript. Kahle also mentioned that they are “disabling the JS library and cleaning systems while improving security.” However, it remains unclear whether the DDoS attack and the data breach are connected.
As of now, the exact method of intrusion, the attackers’ motives, and the possibility of additional data theft remain unknown. The cybersecurity community eagerly awaits further details from the Internet Archive regarding the full extent of the breach and the measures being taken to prevent future incidents.
This breach serves as a stark reminder of the ongoing threats to even well-established online platforms. Users of the Wayback Machine and other Internet Archive services are strongly advised to change their passwords immediately and remain vigilant for potential phishing attempts or unauthorized account access. As always, implementing strong, unique passwords and enabling two-factor authentication where possible remain crucial steps in protecting one’s digital identity in the face of such large-scale data breaches.
