The Internet Archive is under attack, with a breach revealing info for 31 million accounts

Photo by Amelia Holowaty Krales / The Verge When visiting The Internet Archive (www.archive.org) on Wednesday afternoon, The Verge was greeted by a pop-up claiming the site had been hacked. Here’s what the popup said: “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!” HIBP refers to Have I Been Pwned?, a website where people can look up whether or not their information has been published in data leaked from cyber attacks. HIBP operator Troy Hunt confirmed to Bleeping Computer that nine days ago, he received a file containing “email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data” for 31 million unique email addresses, and confirmed it was valid by matching data with a user’s account. A tweet from HIBP said 54 percent of the accounts were already in its database from previous breaches. In posts on his account, Hunt gave further details on the timeline, from contacting the IA about the breach on October 6th, and moving forward with the disclosure process until their site was defaced and DDoS’d today at the same time they were loading the data into HIBP to begin notifying affected users. Let me share more on the chronology of this:30 Sep: Someone sends me the breach, but I'm travelling and didn't realise the significance5 Oct: I get a chance to look at it - whoa!6 Oct: I get in contact with someone at IA and send the data, advising it's our goal to load…— Troy Hunt (@troyhunt) October 9, 2024 After closing the message, the site loaded normally, albeit slowly. It’s unclear what was happening with the site, but attacks on services like TweetDeck have exploited XSS or cross-site scripting vulnerabilities with similar effects. As of 5:30PM ET, the popup was gone, but so was the rest of the site, leaving either nothing or a placeholder message saying “Internet Archive services are temporarily offline” and directing visitors to the site’s account on X for updates. Jason Scott, an archivist and software curator of The Internet Archive, said the site was experiencing a DDoS attack, posting on Mastodon that “According to their twitter, they’re doing it just to do it. Just because they can. No statement, no idea, no demands.” Separately, Brewster Kahley of the IA wrote that “Yesterday’s DDOS attack on @internetarchive repeated today. We are working to bring http://archive.org back online.” Neither has mentioned the breach. An account on X called SN_Blackmeta said it was behind the attack and implied that another attack was planned for tomorrow. The account also posted about DDoSing the Archive in May, and Scott has previously posted about attacks seemingly aimed at disrupting the Internet Archive. We’ve reached out to the organization to learn more information. Update, October 9th: Added information from HIBP and BleepingComputer confirming a breach.

The Internet Archive is under attack, with a breach revealing info for 31 million accounts
An image showing a laptop with “Error” notifications on the screen
Photo by Amelia Holowaty Krales / The Verge

When visiting The Internet Archive (www.archive.org) on Wednesday afternoon, The Verge was greeted by a pop-up claiming the site had been hacked.

Here’s what the popup said:

“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!”

HIBP refers to Have I Been Pwned?, a website where people can look up whether or not their information has been published in data leaked from cyber attacks. HIBP operator Troy Hunt confirmed to Bleeping Computer that nine days ago, he received a file containing “email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data” for 31 million unique email addresses, and confirmed it was valid by matching data with a user’s account.

A tweet from HIBP said 54 percent of the accounts were already in its database from previous breaches. In posts on his account, Hunt gave further details on the timeline, from contacting the IA about the breach on October 6th, and moving forward with the disclosure process until their site was defaced and DDoS’d today at the same time they were loading the data into HIBP to begin notifying affected users.

After closing the message, the site loaded normally, albeit slowly. It’s unclear what was happening with the site, but attacks on services like TweetDeck have exploited XSS or cross-site scripting vulnerabilities with similar effects.

As of 5:30PM ET, the popup was gone, but so was the rest of the site, leaving either nothing or a placeholder message saying “Internet Archive services are temporarily offline” and directing visitors to the site’s account on X for updates.

Jason Scott, an archivist and software curator of The Internet Archive, said the site was experiencing a DDoS attack, posting on Mastodon that “According to their twitter, they’re doing it just to do it. Just because they can. No statement, no idea, no demands.” Separately, Brewster Kahley of the IA wrote that “Yesterday’s DDOS attack on @internetarchive repeated today. We are working to bring http://archive.org back online.” Neither has mentioned the breach.

An account on X called SN_Blackmeta said it was behind the attack and implied that another attack was planned for tomorrow. The account also posted about DDoSing the Archive in May, and Scott has previously posted about attacks seemingly aimed at disrupting the Internet Archive.

We’ve reached out to the organization to learn more information.

Update, October 9th: Added information from HIBP and BleepingComputer confirming a breach.