The Internet Archive has partially restored access to its website and services after suffering a distributed denial-of-service (DDoS) attack and a data breach that exposed 31 million user records. On October 9, visitors to archive.org encountered a JavaScript alert indicating that a hacker had compromised the website and stolen a user authentication database. The alert directed users to the “Have I Been Pwned” (HIBP) website, where the stolen data was shared.
Troy Hunt, the creator of HIBP, confirmed that the threat actor provided the Internet Archive’s authentication database nine days prior. The 6.4GB SQL file, named “ia_users.sql,” contains email addresses, screen names, password change timestamps, bcrypt-hashed passwords, and other internal data. The most recent timestamp on the records is September 28th, 2024, which is likely the date of the breach.
Hunt contacted affected users, including cybersecurity researcher Scott Helme, who verified the authenticity of the exposed data. Despite initiating a disclosure process with the Internet Archive, Hunt has not received a response. In addition to the data breach, the Internet Archive experienced a DDoS attack claimed by the hacktivist group BlackMeta, who also indicated plans for further attacks.
Restoring site functionality after attack
The connection between the data breach and the DDoS attacks remains unclear. Internet Archive founder Brewster Kahle confirmed the incidents, stating that the organization has disabled the compromised JavaScript library, is scrubbing systems, and upgrading security.
Additional attacks have taken the archive.org and openlibrary.org websites offline again. As of early Wednesday UTC, the Internet Archive website intermittently loaded different versions of the homepage, with some services remaining unavailable. Kahle announced that the Wayback Machine, responsible for preserving web page snapshots, is now “running strong” but noted that efforts are still underway to restore other archive items and services safely.
Network visibility firm Netscout reported that the DDoS attack lasted around three hours and twenty minutes, generating approximately five gigabits per second of traffic. The attack targeted three IP addresses used by the Archive and employed TCP RST floods and HTTPS application layer attacks. Netscout identified characteristics pointing to Mirai malware variants, likely originating from home entertainment and IoT devices in Korea, China, and Brazil.
The Internet Archive continues to prioritize the security of its digital collections while cautiously restoring its services. Kahle emphasized the organization’s focus on ensuring data safety, projecting that system enhancements and examinations will take days, not weeks.
