Change your passwords: Attackers claim a ‘catastrophic security breach’ of the Internet Archive, with 31 million emails and hashed passwords captured

"See 31 million of you on HIBP!"

"See 31 million of you on HIBP!"

The Internet Archive—the online repository of, well, pretty much everything—is under attack. It’s been hit by a series of DDOSes that have rendered the site essentially unusable since Wednesday, with the non-profit’s engineers scrambling to fend off the assault, upgrade security, and keep users informed all at the same time.

None of which, alarmingly, is the worst part. If you try to go to the site at time of writing, you’ll just find an error page, but visitors yesterday were greeted by a pop-up reading “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!”

HIBP means Have I Been Pwned, a site you can use to check if your emails and passwords have been leaked in any of the data breaches that happen with disconcerting regularity online. In other words: The Archive’s attackers are claiming to have nicked the deets for around 31 million accounts as part of their campaign, a breach which has since been confirmed by Archive founder Brewster Kale and HIBP’s Troy Hunt (via Bleeping Computer).

“What we know:” wrote Kale earlier today, “DDOS attack–fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords.” The bad news is that you have an Internet Archive account, your username and email could well have been captured by the site’s attackers.

The good news is that the version of your password they’ve gotten hold of is encrypted. Don’t use that as an excuse to rest on your laurels, though: You should absolutely change your Archive password as soon as you can—and change it anywhere else you use that password, too.

Since the attack, Kale says that the Archive has “Disabled the JS library” used to access the site and serve the earlier pop-up, and that it is “scrubbing systems, upgrading security.” Unfortunately, there’s not much the site has been able to do about the DDOS attacks. Less than an hour before I wrote this, Kale posted that “DDOS folks are back and knocked Archive.org and Openlibrary.org offline,” and that the site is “being cautious and prioritizing keeping data safe at the expense of service availability.”

It’s not entirely clear just yet who is behind the attack or what their reasons are. An account on X going by the name SN_Blackmeta—claiming to be located in “Old Rus, Novgorod Oblast”—has claimed responsibility, saying it was attacking the Archive “because the archive belongs to the USA,” whose “horrendous and hypocritical government supports the genocide that is being carried out by the terrorist state of ‘Israel.'” It’s worth noting that the Archive has no notable ties to the US government beyond being based in America.

Of course, whether that account actually has ties to the Archive’s attackers or is just opportunistically claiming responsibility, and whether its provided reasons for doing so are its actual reasons, is far from clear.

It’s one more problem the Archive doesn’t need. Earlier this year, the site was forced to remove half a million books from its lending library after losing a landmark copyright lawsuit against a number of publishing companies. The Archive is appealing the ruling, but I have to imagine that Brewster Kale and co have a world-historic headache right now after a terrible 2024.

About Post Author