Internet Archive cyberattack: How details of 31M users got exposed
What's the story
The Internet Archive, the popular digital library famous for its Wayback Machine, was recently hit by a major cyberattack. The breach compromised the usernames, email addresses, encrypted passwords, and other internal system data of around 31 million users. The stolen data, a 6.4GB SQL file named "ia_users.sql," contained records up to September 28, 2024.
Attack details
Attack initiated through malicious JavaScript pop-up
The Internet Archive cyberattack was launched via a malicious JavaScript pop-up on October 9. The message warned visitors of a security breach stating, "Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!" This message confirmed what would soon be one of the largest breaches in the organization's history.
Countermeasures
Internet Archive was notified of the breach on October 6
Troy Hunt, a renowned security researcher and founder of Have I Been Pwned (HIBP), confirmed this breach. Hunt says the attack took place in September. Hunt first received the stolen data on September 30. He reviewed it on October 5, notifying the Internet Archive the next day. "They get defaced and DDoS'd, right as the data is loading into HIBP," Hunt remarked, highlighting the timing of the breach and subsequent denial-of-service attacks.
Response
Response to the cyberattack
Confirming the DDoS attack and data breach, Brewster Kahle, founder of the Internet Archive, also took to X stating they have successfully defended against the DDoS attack for now and were working on enhancing their security measures. The organization has also disabled the malicious JavaScript library and is currently scrubbing its systems.
Group profile
Hacktivist group SN_BlackMeta claims responsibility for DDoS attacks
SN_BlackMeta, a hacktivist group associated with other major cyberattacks this year, claimed responsibility for this attack. In a post on X, SN_BlackMeta stated, "The Internet archive has and is suffering from a devastating attack. We have been launching several highly successful attacks for five long hours, and to this moment, all their systems are completely down." Cybersecurity firm Radware has identified SNBlackMeta as a pro-Palestinian hacktivist group that may operate from Russia and have potential connections to Sudan.
Measures
What users should do to remain safe
Internet Archive users should promptly change their passwords, particularly if they reuse them on other platforms. Cybersecurity experts also advise avoiding downloads or interacting with files from the Internet Archive until the breach is fully addressed and services are deemed secure. SN_BlackMeta has suggested more attacks are forthcoming, stating they will keep targeting the Internet Archive because of its association with the US, as they accuse the nation of supporting Israel.