Back

Internet History Hacked, Wayback Machine Down—31 Million Passwords Stolen

Posted By

Forbes

On

October 11, 2024

Story updated Oct. 11 with additional expert comment regarding the DDoS attack on the Wayback Machine and the security resources that have helped limit the damage.

Hackers have compromised the Internet’s past, the Internet Archive’s Wayback Machine, stealing 31 million passwords and launching a massive Distributed Denial of Service attack in the process. It is unclear if the two security incidents, the compromise of the Internet Archive’s authentication database containing registered member details, including hashed passwords, and the denial of service attack, are related. However, the evidence does seem to be pointing in the direction of this being a targeted attack by the same threat actor.

What We Know About The Internet Archive Hack

The first clue that something was wrong came from the service itself, with the display of a JavaScript alert popup for visitors to the archive.org site which read:

"Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!"

Troy Hunt, the founder of the Have I Been Pwned data breach notification service referenced in the hacker’s note, told Bleeping Computer, the first to report on the news, that the threat actor had shared a 6.4GB database with them some days ago. This authentication database, which appears to be genuine and from the Internet Archive, contained “authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data,” Hunt told Bleeping Computer founder and editor Lawrence Abrams.

The last timestamp in that database gives a clue as to when the breach occurred, September 18. According to Hunt, there are 31 million records in the database which will be added to the HIBP service soon so as to enable people to see if their data has been exposed by this attack.

Based on the publicly available evidence so far, Jason Meller, vice president of product at 1Password, and a former chief security strategist at Mandiant, said that the Internet Archive “database has been exfiltrated, indicating that the back-end infrastructure was accessible, and their pages have been defaced, suggesting that the attackers have some degree of control over the web content served to users.” Meller further said that as the website has been repeatedly knocked offline, this would suggest that the attacker or attackers” have gained dominance at the network layer.”

The Internet Archive may not be the biggest or best-resourced organization. But, as Adam Brown, managing security consultant at Black Duck, said, it has employed security practices that helped limit the blast radius of this attack. “Using Bcrypt, if implemented correctly, will prevent the extraction of passwords,” Brown said, “while hashes can be looked up if common passwords are used if the hash is salted, as it is with Bcrypt, this largely prevents the use of hash look-up tables.” Although it remains unclear how the authorization SQL database was stolen in the first place, “we can assume there is likely lacking or misconfigured security controls around access to it,” Brown said.

Hacking Internet History

“Hacking the past is usually technically impossible but this data breach is the closest we may ever come to it,” Jake Moore, global cybersecurity advisor with ESET, said, “the stolen dataset includes personal information but at least the stolen passwords are encrypted.”

Moore warns that even encrypted passwords can be cross-referenced against previous uses of the same password, so “it’s a good reminder to make sure all your passwords are unique.”

Brewster Kahle, a digital librarian and group chair at the Internet Archive, posted a statement on X that said:

“What we know: DDOS attack–fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords. What we’ve done: Disabled the JS library, scrubbing systems, upgrading security. Will share more as we know it.”

“Distributed Denial-of-Service attacks often suggest political motives, and the attack on The Internet Archive is no exception,” Donny Chong, a director at Nexusguard, said, “While the identity behind the data breach exposing 31 million users remains unclear, the pro-Palestinian hacktivist group Black Meta has claimed responsibility for the DDoS attacks that took down The Internet Archive.”

Source: https://www.forbes.com/sites/daveywinder/2024/10/10/internet-hacked-wayback-machine-down-31-million-passwords-stolen/