Internet Archive leaks user info and succumbs to DDoS

31 million users' usernames, email addresses and salted-encrypted passwords are out there

The Internet Archive had a bad day on the infosec front, after being DDoSed and exposing user data.

On Wednesday afternoon US time the outfit’s digital library Brewster Kahle revealed a DDoS attack had made the site unavailable. The Register understand the outage may have lasted up to five hours, during which time visitors saw only a notification of the incident.

While that was happening, data leak notification service haveibeenpwned (HiBP)posted news of a leak that saw 31,081,179 users’ accounts exposed. Register staff received mails from HIBP that state “The breach exposed user records including email addresses, screen names and bcrypt password hashes.”

Kahle later confirmed the leak , writing that the service has detected “defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords.”

The org has disabled the JS library, and is “scrubbing systems , upgrading security.”

Kahle offered no detail beyond that but promised to “share more as we know it.”

It is unclear if the DDoS and breach are linked.

The Register sought comment from the Archive but had not received a response at the time of publication.

The two incidents continue an unhappy 2024 for the Internet Archive, which has lost a case regarding its right to lend digital assets, gone offline due to power failures, and endured other disruptive DDoS events. ®