When visiting the Internet Archive (www.archive.org) on Wednesday afternoon, The Verge was greeted with a pop-up claiming the site had been hacked. Just after 9PM ET, Internet Archive founder Brewster Kahle confirmed the breach and said the website had been defaced with the notification via a JavaScript library.
Here’s what the pop-up said:
Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!
HIBP refers to Have I Been Pwned, a website where people can look up whether their information has been published in data leaked from cyberattacks. HIBP operator Troy Hunt confirmed to BleepingComputer that he received a file containing “email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data” for 31 million unique email addresses nine days ago and confirmed it was valid by matching data with a user’s account.
A tweet from HIBP said 54 percent of the accounts were already in its database from previous breaches. In posts on his account, Hunt gave further details on the timeline, including contacting the Internet Archive about the breach on October 6th and moving forward with the disclosure process, to today, when the site was defaced and DDoS’d at the same time they were loading the data into HIBP to begin notifying affected users.
After closing the message, the site loaded normally, albeit slowly.
As of 5:30PM ET, the pop-up was gone, but so was the rest of the site, leaving either nothing or a placeholder message saying “Internet Archive services are temporarily offline” and directing visitors to the site’s account on X for updates.
Jason Scott, an archivist and software curator at the Internet Archive, said the site was experiencing a DDoS attack, posting on Mastodon that “according to their twitter, they’re doing it just to do it. Just because they can. No statement, no idea, no demands.”
Later on Wednesday evening, Kahle of the Internet Archive confirmed the breach in a post on X:
What we know: DDOS attack–fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords.
What we’ve done: Disabled the JS library, scrubbing systems, upgrading security.
Will share more as we know it.
An account on X called SN_Blackmeta said it was behind the attack and implied that another attack was planned for tomorrow. The account also posted about DDoSing the site in May, and Scott has previously posted about attacks seemingly aimed at disrupting the Internet Archive.
We’ve reached out to the organization to learn more information.
Update, October 9th: Added information from HIBP and BleepingComputer as well as Brewster Kahle’s confirmation of the breach.