Internet Archive Suffers 'Catastrophic' Breach Impacting 31 Million Users (bleepingcomputer.com) 29
BleepingComputer's Lawrence Abrams: Internet Archive's "The Wayback Machine" has suffered a data breach after a threat actor compromised the website and stole a user authentication database containing 31 million unique records. News of the breach began circulating Wednesday afternoon after visitors to archive.org began seeing a JavaScript alert created by the hacker, stating that the Internet Archive was breached.
"Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!," reads a JavaScript alert shown on the compromised archive.org site. The text "HIBP" refers to is the Have I Been Pwned data breach notification service created by Troy Hunt, with whom threat actors commonly share stolen data to be added to the service.
Hunt told BleepingComputer that the threat actor shared the Internet Archive's authentication database nine days ago and it is a 6.4GB SQL file named "ia_users.sql." The database contains authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data. Hunt says there are 31 million unique email addresses in the database, with many subscribed to the HIBP data breach notification service. The data will soon be added to HIBP, allowing users to enter their email and confirm if their data was exposed in this breach.
"Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!," reads a JavaScript alert shown on the compromised archive.org site. The text "HIBP" refers to is the Have I Been Pwned data breach notification service created by Troy Hunt, with whom threat actors commonly share stolen data to be added to the service.
Hunt told BleepingComputer that the threat actor shared the Internet Archive's authentication database nine days ago and it is a 6.4GB SQL file named "ia_users.sql." The database contains authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data. Hunt says there are 31 million unique email addresses in the database, with many subscribed to the HIBP data breach notification service. The data will soon be added to HIBP, allowing users to enter their email and confirm if their data was exposed in this breach.
From Troy Hunt via LinkedIn (Score:2)
"Yep, I’m aware, more soon"
Re: (Score:2)
https://www.linkedin.com/feed/... [linkedin.com]
"Threat actor?" (Score:2, Interesting)
Re:"Threat actor?" (Score:5, Interesting)
Re:"Threat actor?" (Score:5, Insightful)
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
winning
Re: "Threat actor?" (Score:1)
So... Given our latest info, you wanna talk to someone about these Russians you see everywhere?
Not need an account to use the Wayback Machine. (Score:1)
Oh, I see: "Sign up for an account. Get your virtual library card and access 65+ million free and borrowable books, movies, audio, images, software, and more!"
https://archive.org/ [archive.org] account signup
Re: Not need an account to use the Wayback Machine (Score:5, Informative)
Need an account to post content, as some of us have.
I've posted a few things, like a backup of the Digi-Comp I publications before Yahoo! groups disappeared it.
It's kind of a library, but also kind of a repo of all kinds of information that might just have public interest to some community.
Re: (Score:2)
Oh no! (Score:4, Insightful)
Well, anyway...
Hashed passwords and email addresses. If you don't reuse passwords, no problem.
Re: Oh no! (Score:2)
True, but to a well equipped threat actor, all your hashed pws are belong to them.
So they've probably got this one.
Re: (Score:2)
If these passwords are good passwords and "hashed" with Argon 2 with suitable parameters, even reuse is not a problem.
Re: (Score:2)
Even with bcrypt as the article states, it's lifetime years to crack if you have a decent password that's not guessable.
Reminder (Score:3, Informative)
When you upload to the Internet Archive your email address is in the metadata XML file which is publicly viewable.
Only those who created an account and don't have any current uploads would be newly known email addresses out in public.
So what was the point of this? (Score:3)
They managed to hack it, nabbed the data, then handed it to the owner of HIBP. Is this to make some kind of a point about security? Or maybe to goad people into donating more so they can update/fix infrastructure or something?
Re: So what was the point of this? (Score:3)
Many hackers operate that way. Some seek recognition as great hackers, others seek self-satisfaction, yet others have profit, political, etc. motives. But even in the latter case, they can publish the hack to scratch their itch and then use the hacked data for its intended purpose.