The Internet Archive, home to the Wayback Machine, fell victim to a significant cyberattack that compromised its authentication database and triggered a massive Distributed Denial of Service (DDoS) attack. The breach, which happened on September 18, exposed personal information of approximately 31 million registered users, including email addresses, screen names, and Bcrypt-hashed passwords.
The attack first came to light when visitors to archive.org encountered a JavaScript alert popup, mockingly referencing the vulnerability of the Internet Archive and directing users to check Have I Been Pwned (HIBP), a data breach notification service. Troy Hunt, HIBP’s founder, confirmed receiving a 6.4GB database from the threat actor, which appears to contain genuine Internet Archive user data.
Related: Internet Archive Faces Major Setback in Copyright Ruling
Jason Meller, vice president of product at 1Password and former chief security strategist at Mandiant, suggested on Forbes that the attackers likely gained access to the back-end infrastructure and obtained some control over web content delivery. The repeated website outages indicate the attackers may have also achieved dominance at the network layer.
Brewster Kahle, digital librarian and group chair at the Internet Archive, confirmed the DDoS attack, website defacement via a JavaScript library, and the breach of user data.
Kahle stated that immediate actions were taken, including disabling the compromised JavaScript library, system cleanup, and security upgrades. He also later updated that the Internet Archive’s data had not been corrupted. “Services are currently stopped to upgrade internal systems,” he added on X.
The pro-Palestinian hacktivist group Black Meta has claimed responsibility for the attacks.
Information for this story was found via the sources and companies mentioned. The author has no securities or affiliations related to the organizations discussed. Not a recommendation to buy or sell. Always do additional research and consult a professional before purchasing a security. The author holds no licenses.
