Massive Breach at Internet Archive's Wayback Machine - Millions of user records compromised
by Ashwin · ghacks.netThe Internet Archive has been hacked. The data breach has resulted in the theft of credentials of 31 million users.
Good to know: The Internet Archive is a non-profit organization that aims to preserve content that would otherwise be lost forever. Google's started to add links to the archive in Google Search.
Internet Archive's Wayback Machine hacked, and user data stolen
Users who visited The Wayback Machine yesterday were greeted by a message on the website which read as follows: "Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!
(Image credit: BleepingComputer)
For those unaware, HIBP refers to the popular website, Have I Been Pawned. BleepingComputer reports that Troy Hunt, who created HIBP told the blog that the attackers had shared the stolen authentication database with the breach notification service 9 days ago.
The Internet Archive was notified 3 days ago by Hunt, by the San Francisco based non-profit did not respond to him. You can visit https://haveibeenpwned.com/ to check if your email address has been leaked by the Internet Archive data breach.
The data that has been compromised includes the email addresses, usernames, password change timestamps, etc. But, I wouldn't panic just yet, I mean reset your password if you want to. But it appears the passwords were not stolen, because the report only mentions Bcrypt-hashed passwords (one-way salted passwords) were compromised, which was later confirmed by cybersecurity researcher Scott Helme.
Still, the stolen records number 31 million unique email addresses, so that is a bit of a bother. Actually, this is the perfect time to illustrate the importance of using email alias services like Simple Login, Firefox Relay, DuckDuckGo's Email Protection, etc. These services, many of which are free (with optional premium tiers), hide your real email address and give you an alias, thus making you anonymous from spam or hacks. Any emails that are sent to the alias are sent to your real email's inbox, without the sender knowing anything about it.
It is unclear how the Internet Archive was breached by the attackers. The website suffered a DDoS attack by the BlackMeta hacktivist group, which bragged that it had been doing so for over 5 hours, and that it would keep conducting the attacks. For what it's worth, the website seems fine now.
On a side note, the Internet Archive lost its legal battle against Hachette, when the US Court of Appeals for the Second Circuit ruled that the digital archive violated copyright law. The Internet Archive had appealed that its lending library adhered by the fair use doctrine that allows copyright infringement in certain scenarios. The court rejected the argument. (via Wired)
Here's some context, the Internet Archive's National Emergency Library aided many people, including students during the COVID-19 pandemic, when they could not access books. They could use the Open Library to access scanned versions of physical books. This however raised concerns among publishers, who criticized it as piracy of copyrighted material, and soon filed a lawsuit against the Internet Archive. Unsurprisingly, the Internet Archive lost the case, but the court did recognize it as a non-profit operation.
That's why this data breach doesn't make sense to me. Do you remember when a ransomware gang targeted a hospital? The Internet Archive is a non-profit organization, it is essentially a public service. What point are the hackers trying to prove? If they found the security of the site to be terrible, why not just alert them or help fix the problems? Of course, there is the fact that user data was taken, which could potentially be used could use for cross-checking and breaching other services. But still, it's an unusual attack because the usual targets are businesses.