On Wednesday afternoon, an unauthorized JavaScript pop-up appeared on the Internet Archive, announcing that the website had experienced a significant data breach. A few hours later, the organization confirmed the incident.
Renowned security researcher Troy Hunt, the founder of the data-breach-notification site Have I Been Pwned (HIBP), also verified that the breach was authentic. He noted that it took place in September and involved a massive cache of data, including 31 million unique email addresses, usernames, bcrypt password hashes, and additional system information. Bleeping Computer, which first reported the breach, also corroborated the accuracy of the data.
The Internet Archive did not respond to multiple requests for comments from WIRED.
“Have you ever had the impression that the Internet Archive operates on outdated technology and is perpetually at risk of a major security incident?” the attackers stated in the Internet Archive pop-up message on Wednesday. “Well, it just happened. See 31 million of you on HIBP!”
Alongside the breach and website defacement, the Internet Archive has been contending with a series of distributed denial-of-service (DDoS) attacks that have sporadically disrupted its services.
Founder Brewster Kahle shared a public update on Wednesday evening through a post on the social platform X. He stated, “What we know: DDoS attack—fended off for now; defacement of our website through a JavaScript library; breach of usernames/email/salted-encrypted passwords. What we’ve done: Disabled the JavaScript library, cleaning systems, enhancing security. We will provide more updates as we receive them.” The term “cleaning systems” refers to services that provide DDoS attack protection by filtering out harmful traffic to prevent it from overwhelming and disrupting a website.
The Internet Archive has encountered intense DDoS attacks multiple times in the past, including one in late May. As Kahle reported on Wednesday: “Yesterday’s DDoS assault on @internetarchive repeated today. We are working to restore archive.org to service.” The hacktivist group BlackMeta claimed responsibility for the recent DDoS attacks and stated intentions to execute further attacks against the Internet Archive. However, the identity of the individual responsible for the data breach remains unidentified.
In recent months, the Internet Archive has faced numerous challenges. In addition to recurrent DDoS attacks, the organization is confronting growing legal issues. It recently lost an appeal in the case of Hachette v. Internet Archive, a lawsuit initiated by book publishers who claimed that its digital lending practices infringed on copyright laws. The organization now faces a significant threat from another copyright lawsuit initiated by music labels, which could result in damages exceeding $621 million if the ruling is unfavorable for the archive.
HIBP’s Hunt reports that he initially obtained the stolen Internet Archive data on September 30, examined it on October 5, and subsequently alerted the organization on October 6. He mentioned that the group confirmed the breach to him on the following day, and that he intended to upload the data into HIBP while informing its subscribers about the breach on Wednesday. “They get defaced and DDoS’d, right as the data is loading into HIBP,” Hunt wrote. “The timing on the last point seems to be entirely coincidental.”
Hunt also noted that while he urged the organization to make the data breach public before sending out the HIBP notifications, the challenging circumstances likely contributed to the delay.
“Obviously I would have liked to see that disclosure much earlier, but given how much they are under attack, I think everyone should cut them some slack,” Hunt wrote. “They’re a nonprofit doing great work and providing a service that so many of us rely heavily on.”
