Internet Archive Data Breach Puts 31 Million Users at Risk; Also DDoS attack

October 15 Update: The Wayback Machine went offline again yesterday and the organization says it is currently read-only and no updates are possible. It also says the site may need to be taken offline for further maintenance.

The organization has confirmed a data breach at the Internet Archive, which also suffered from distributed denial of service (DDoS) attacks. The home of the Wayback Machine was attacked back in May.

At this point, it is suspected that the security breach and the DDoS attacks are unrelated, although the timing certainly seems strange.

Internet Archive data breach

The security breach was first reported by Beeping computer.

Internet Archive’s “The Wayback Machine” suffered a data breach after a threat actor compromised the site and stole a user authentication database containing 31 million unique records […]

The threat actor exposed the Internet Archive’s authentication database nine days ago. It is a 6.4 GB SQL file named “ia_users.sql”. The database contains authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt hashed passwords, and other internal data.

The attacker’s identity is unknown, but he created a JavaScript alert on the website to announce the attack.

HIBP is a reference to Have I Been Pwned, the website created by security researcher Troy Hunt that allows people to find out whether their data has been exposed in security breaches. Hunt himself confirmed that the leaked data was valid.

The Internet Archive confirmed the breach today.

What we know: DDOS attack – repelled for now; Defacing our website via the JS library; Username/email address/salted encrypted password violations.

What we did: Disabled the JS library, cleaned systems, and improved security.

DDoS attack

The archive also pointed to a DDoS attack that temporarily took the website offline.

A group called SN_Blackmeta claimed responsibility for the attack with the confusing anti-Semitic message that the archive “belongs to the US” as if it were a government project.

The Internet Archive has been and is being affected by a devastating attack. We launched several highly successful attacks for five hours, and up to this moment all of their systems have completely failed […]

They are under attack because the archive belongs to the USA, and as we all know, this terrible and hypocritical government supports the genocide carried out by the terrorist state “Israel”.

The tweet was noted by X users in the community:

The Internet Archive is a nonprofit organization whose purpose is to archive information for use by anyone in the world. There are also many resources in the archives about Palestine that we cannot access at this time due to this attack.

Internet Archive is also suffering from legal problems

The archive has also faced legal problems, losing a lawsuit last month accusing it of copyright infringement Wired reported at the time.

The U.S. Court of Appeals for the Second Circuit ruled against the long-running digital archive, upholding an earlier ruling in Hachette v. Internet Archive that found one of the Internet Archive’s book digitization projects infringed copyright.

Specifically, the appeals court ruling rejects the Internet Archive’s argument that its distribution practices are protected by the fair use doctrine, which permits copyright infringement in certain circumstances, calling it “unpersuasive.”

In March 2020, the Internet Archive, a nonprofit organization based in San Francisco, launched a program called the National Emergency Library (NEL). Library closures caused by the pandemic have left students, researchers and readers unable to access millions of books, and the Internet Archive said it was responding to calls from ordinary citizens and other librarians to help those staying at home get access to the books they needed .

Essentially, the organization repeated what the Open Library did legally, but removed the restriction that ensured that a digital copy of a book could only be borrowed by one person at a time. The limit was subsequently reinstated, but by that time it had already been sued.

There is also the threat of a second lawsuit from a group of music labels seeking $400 million in damages for copyright infringement, which could force the organization into bankruptcy.

Photo by Shahadat Rahman on Unsplash