Threat Actor: BlackMeta | BlackMeta
Victim: Internet Archive | Internet Archive
Price: Not disclosed
Exfiltrated Data Type: User authentication database, including email addresses and hashed passwords
Key Points :
- Data breach occurred on October 9, 2024, affecting over 31 million users.
- Stolen data included email addresses, screen names, and Bcrypt-hashed passwords.
- The breach was confirmed by cybersecurity expert Troy Hunt, who received a 6.4GB SQL file.
- Users were notified through a JavaScript alert on the Internet Archive website.
- BlackMeta also claimed responsibility for a DDoS attack on the same day as the breach.
- The accuracy of the stolen data was validated by cybersecurity researcher Scott Helme.
- No comment has been received from the Internet Archive regarding the breach.
- The exposed data will be added to the Have I Been Pwned platform for user checks.
On October 9, 2024, the Internet Archive, famously known for its “Wayback Machine,” suffered a significant data breach, compromising the user authentication database containing records of over 31 million users. Visitors to archive.org first noticed something was wrong when a JavaScript alert began appearing on the website, notifying them of the breach. The message boldly stated, “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!”
The acronym “HIBP” refers to the well-known Have I Been Pwned data breach notification service, operated by cybersecurity expert Troy Hunt. Hunt later confirmed that the stolen data was shared with him three days prior, in the form of a 6.4GB SQL file named “ia_users.sql.” This file contained sensitive information, including email addresses, screen names, Bcrypt-hashed passwords, and other internal data.
To validate the breach, Hunt reached out to users listed in the database, including cybersecurity researcher Scott Helme. Helme confirmed the accuracy of the data, matching the bcrypt-hashed password and timestamps stored in his password manager with those found in the stolen database.
As of now, the breach has exposed 31 million unique email addresses, and the data will soon be added to the HIBP platform, allowing users to check if their information was compromised. Meanwhile, the cause of the breach and how the threat actors gained access to the database remain unknown. Adding to the chaos, the Internet Archive experienced a Distributed Denial of Service (DDoS) attack earlier in the day, claimed by the hacktivist group BlackMeta, who announced plans for additional attacks.
Despite attempts to reach the Internet Archive for comment, no response has been provided. This breach adds to a growing list of high-profile cyberattacks, raising concerns about the security of publicly accessible digital archives.
