The Internet Archive’s “The Wayback Machine” experienced a data breach after a threat actor compromised the website, stealing a user authentication database with 31 million unique records. This breach came to light when visitors to archive.org saw a JavaScript alert from the hacker, indicating that the site had been compromised.
The message referenced *Have I Been Pwned* (HIBP), a data breach notification service managed by Troy Hunt, suggesting that the stolen data would soon be added to the platform. Hunt confirmed to BleepingComputer that the threat actor shared the Internet Archive’s authentication database nine days earlier, consisting of a 6.4GB SQL file named *ia_users.sql*. This file contains sensitive information, including email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data for registered members.
The most recent timestamp on the stolen data was September 28th, 2024, suggesting that this was likely when the database was compromised. Hunt verified the authenticity of the data by contacting users listed in the database, including cybersecurity researcher Scott Helme. Helme confirmed that the Bcrypt-hashed password and the timestamp matched the information stored in his password manager.
Although Hunt initiated a disclosure process with the Internet Archive three days ago, indicating that the data would be added to HIBP within 72 hours, he has not received any response from the organization. This means that affected users will soon be able to check HIBP to see if their email addresses were exposed in this breach.
The method used by the hackers to breach the Internet Archive remains unknown, as does the extent of any other potential data theft. The situation worsened when the Internet Archive was targeted by a Distributed Denial-of-Service (DDoS) attack claimed by the BlackMeta hacktivist group, which has threatened to carry out further attacks.
