The Internet Archive hacked, authentication database compromised exposing 31M users
Learn More
The Internet Archive, known for its Wayback Machine, has been hit by a data breach that compromised an authentication database containing information on 31 million users. The breach was made public on October 9, 2024, when visitors to the site saw a pop-up message inserted by the attacker, stating that the Internet Archive had been breached. The message also referenced “HIBP,” the Have I Been Pwned data breach notification service.
The 6.4 GB stolen database SQL file named "ia_users.sql" has a time stamp of September 28, 2024 and million unique email addresses.
Compromised data includes:
- Email addresses
- Screen names
- Password change timestamps
- Bcrypt-hashed passwords
- Other internal data
Troy Hunt, the founder of Have I Been Pwned, confirmed the legitimacy of the data after the hacker shared the SQL file with him nine days prior to the public disclosure. Hunt verified the data by reaching out to users listed in the breach, including cybersecurity researcher Scott Helme, who confirmed that the bcrypt-hashed password in the stolen records matched the one stored in his password manager.
The data is expected to be added to the HIBP database, allowing affected users to check if their data was included in the breach. 54% of the affected accounts were already present in HIBP’s database from previous breaches, indicating a significant overlap with users previously affected by other data leaks
The precise method of how threat actors breached the Internet Archive’s systems remains unclear. However, there were indications of potential vulnerabilities, such as cross-site scripting (XSS), which could have been exploited to display the pop-up message.
Additionally, on the same day as the breach announcement, the Internet Archive faced a Distributed Denial of Service (DDoS) attack, claimed by the BlackMeta hacktivist group. This DDoS attack caused disruptions, temporarily bringing down the site and displaying a message stating that the services were "temporarily offline." BlackMeta has a history of targeting the Internet Archive, having also conducted a DDoS attack in May 2024.
Update - researchers report that despite assurances on its website that uploader emails are not shared with anyone, the Internet Archive has been automatically including uploader email addresses in metadata files generated for each upload. This information was visible through the “Show All” link on the uploaded content page or directly through metadata URLs. Even when users updated their account email, older uploads continued to display the original email addresses.
