Internet Archive Hack Leaks 31 Million Accounts

[Man]

Troy Hunt, creator of the "Have I Been Pwned" (haveibeenpwned.com) service for checking compromised passwords, has received information about the leak of the user base of the Internet Archive (archive.org), which maintains the Wayback Machine archive of sites and the largest library of digitized content. The attackers gave Troy a SQL dump with the accounts of 31 million archive.org users. In addition, a archive.org JavaScript code was inserted into the site, displaying a pop-up window with information about the hack.

The warning about the leak has been handed over to the archive.org administration, but no official statements and explanations have yet been published (only reposts on Twitter so far). The SQL dump that fell into the hands of researchers takes up more than 6 GB and includes, among other things, user password hashes in bcrypt format, password change times, emails, and usernames. The most recent entry in the database is dated September 28.

The relevance of the database was confirmed by the well-known security researcher Scott Helme, whose password hash and password change time from the leaked SQL dump coincided with the data from his password manager. Compromise of your accounts can be checked through the haveibeenpwned.com service, which already covers information from the leaked database archive.org. In general, the haveibeenpwned.com reflects information about 14 billion passwords and information about hacks of 817 sites.

 

[Man]

Hackers vs. History: The Battle for the Internet Archive Continues.

31 million users were affected by the cyberattack.

The Internet Archive digital library is gradually resuming operations after a week of downtime caused by a serious cyberattack. The organization suffered a data breach and a distributed denial-of-service (DDoS) attack.

Founded in 1996 by Brewster Koehl, the Internet Archive provides free access to a historical collection of web pages through the Wayback Machine. The resource stores more than 150 billion web pages, about 250,000 movies and 500,000 audio recordings.

On October 9, hackers stole and published the data of 31 million users of the site. Visitors to the resource saw a pop-up window with a message about a hack and a link to the Have I Been Pwned service, which allows you to check whether personal information has become publicly available as a result of a data leak.

To prevent further attacks, the administration decided to temporarily disable the site. According to the latest update from Brewster Koehle, a number of key Internet Archive services have already resumed. These include the Wayback Machine, Archive-It, scanning and data collection systems for national libraries. Email, blog, support and social media channels have also been restored.

The Internet Archive team is working around the clock in different time zones to bring the rest of the services back online. Other services are scheduled to resume in the coming days, some of which will begin to function in read-only mode, as full recovery will require additional time.

Koehl stressed that the organization is taking a cautious and thoughtful approach to restoring and strengthening the protection of its systems. The top priority is to ensure that the Internet Archive works more reliably and securely once it returns online.

Netscout, which conducted an analysis of the incident, recorded 24 DDoS attacks on the 7941 Autonomous System (ASN) used by the Internet Archive. The first attack lasted more than three hours and affected three of the organization's IP addresses.

Netscout experts warn that such attacks can inspire attackers to try hacking again.

Bruno Kurtic, co-founder and CEO of Bedrock Security, believes that such hacks are almost inevitable: "Perimeters will be breached, vulnerabilities will be exploited... Attackers will end up at the door of your data stores".

According to Kurtic, the main problem for most businesses is not knowing the exact location of their data. "Data is mobile, propagated and created at an exponential rate," the expert notes.

To protect information, Kurtić recommends using proactive policy management, as well as monitoring the movement, encryption, and hashing of data. "Monitoring access and constantly scanning to update classifications on a scale of hundreds of petabytes is a difficult but necessary task", the specialist emphasizes.

 

[Man]

Internet Archive Hacked Again With Stolen Access Tokens.

Internet Archive has been hacked again, this time via email support platform Zendesk. Previously, attackers stole GitLab's public authentication tokens.

Now they’ve started sending emails to users notifying them of the breach. “It’s disheartening that even after reporting the breach weeks ago, IA has yet to exercise due diligence and rotate the many API keys that were exposed in GitLab,” the attacker wrote in an email. The Zendesk token he used grants permission to access more than 800,000 support tickets sent to info@archive.org since 2018.

The headers of the unknown emails pass all DKIM, DMARC, and SPF authentication checks, proving that they were sent by an authorized Zendesk server at 192.161.151.10. The recipient of the email told BleepingComputer that they needed to upload personal identification data when requesting a page be removed from the Wayback Machine.

BleepingComputer has repeatedly tried to warn the Internet Archive that their source code was stolen using a GitLab authentication token that has been available online for nearly two years.

In early October, IA was hit by two separate attacks simultaneously — one that stole data from 31 million of the site’s users, and another that appeared to be a DDoS attack by the pro-Palestinian group SN_BlackMeta. The attacks were carried out by different attackers, but many media outlets incorrectly attributed them to SN_BlackMeta. This likely disappointed the hacker behind the leak, who contacted BleepingComputer through an intermediary to claim responsibility for the attack and explain how the Internet Archive was hacked.

The attacker told BleepingComputer that he had found a compromised GitLab configuration file on one of the organization's development servers, services-hls.dev.archive.org. The token had been compromised since at least December 2022, and had changed several times since then. The attacker claims that this GitLab configuration file contained an authentication token that allowed him to download the Internet Archive's source code. The source code also contained credentials, including for the Internet Archive's database management system. This allowed the hacker to download the organization's user database, additional source code, and modify the site.

The attacker claimed to have stolen 7TB of data from the Internet Archive, but provided no samples as evidence. It has now emerged that they included API access tokens for the Zendesk support system.

The Internet Archive has yet to respond to BleepingComputer's messages.

The Internet Archive hack became known on October 9. At that time, visitors to the archive.org website saw notifications from the attackers, which stated that the site had been hacked. Later, Have I Been Pwned founder Troy Hunt reported that he had obtained a file with stolen user data. The last entry in the database was dated September 28, 2024. The attackers managed to steal data from 31 million users of the service, including logins, email addresses, and encrypted passwords.

As of October 14, the Internet Archive has resumed its read-only mode for the Wayback Machine service only. Users cannot yet add new pages to the archive.