The Internet Archive's "The Wayback Machine" suffered a data breach after a threat actor hacked the site and stole a user-verified database containing 31 million unique records. On Wednesday afternoon, visitors to archive.org began to see JavaScript alerts created by hackers stating that the Internet Archive had been compromised, and subsequently news of the breach began circulating.
"Have you ever felt that the Internet Archive could suffer a catastrophic security breach at any time? It just happened, meeting 31 million users on HIBP! "A JavaScript alert like this is displayed on the compromised archive.org website.
JavaScript alerts displayed on the Archive.org
HIBP"指的是由 Troy Hunt 创建的 Have I Been Pwned data漏洞通知服务。
Hunt told BleepingComputer that the threat actors had shared the Internet Archive's authentication database nine days earlier, which is a 6.4GB SQL file named "ia_users.sql." The database contains verified information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt encrypted passwords, and other internal data. The most recent timestamp of the stolen record is September 28, 2024, which is most likely the time the database was stolen.
There are 31 million unique email addresses in the database, many of which are subscribed to the HIBP data breach notification service. This data will soon be added to HIBP, and users can enter their email to confirm if their data was exposed in this data breach.
The data was confirmed to be true after Hunt got in touch with users listed in the database, including cybersecurity researcher Scott Helme, who allowed BleepingComputer to share his exposed records.
9887370, [email protected],$2a$10$Bho2e2ptPnFRJyJKIn5BiehIDiEwhjfMZFVRM9fRCarKXkemA3PxuScottHelme,2020-06-25,2020-06-25,[email protected],2020-06-25 13:22:52.7608520,\N0\N\N@scotthelme\N\N\N
Helme confirmed that the bcrypt encryption password in the data record matches the bcrypt encryption password stored in his password manager. He also confirms that the timestamp in the database record matches the date he last changed his password in the password manager.
archive.org password manager entry
Hunt said he contacted the Internet Archive three days ago and began the disclosure process, saying that the data would be loaded into the service within 72 hours, but he has not received a response since.
It's unclear how the threat actors hacked into the internet archive and if any other data was stolen. Earlier today, the Internet Archive suffered a DDoS attack, and the BlackMeta hacking group claimed that they would launch more.