A security breach at the Internet Archive's "WayBack Machine" has resulted in the theft of the authentication database containing data on 31 million people.
The "WayBack Machine" has been an invaluable resource, capturing snapshots of the Internet for posterity. However, it has become the latest site to become the target of hackers, with millions affected by a recent attack.
The breach of archive.org became known about on Wednesday, prompted by an unusual JavaScript alert created by the hacker, reports Bleeping Computer. The alert taunted users of the site, while also confirmed it had taken place.
"Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach?" the text reads. "It just happened. See 31 million of you on HIBP!"
"HIBP" refers to Have I Been Pwned, a site that shares information about breaches and also notifies victims when they occur. Troy Hunt, the creator of Have I Been Pwned, confirmed to the publication that the hackers involved had shared the authentication database nine days previously.
The database, weighing in at 6.4 gigabytes, contains authentication details for registered members, including email addresses, online names, password change timestamps, Bcrypt-hashed passwords, and other types of internal data. There are approximately 31 million unique email addresses in the database.
Hunt disclosed the receipt of the database to the Internet Archive, advising that the data would be incorporated into Have I Been Pwned 72 hours later. However, the Internet Archive has neither contacted Hunt nor publicly disclosed the breach.
The breach of data affecting 31 million users is only one of the issues affecting the Internet Archive. It is currently dealing with a DDoS attack from the hacktivist group BlackMeta, with more attacks also promised from the group.
3 Comments
Just don’t give these sites real details if you choose to register. Surely that would mitigate this issue in most cases?
While it won’t help anyone who has already registered for any online service, mailing list, or website Apple’s “Hide My Email” feature is extremely useful and much more effective than trying to unsubscribe from anything that has your real email address.
You don’t have rely on Apple to prompt you to create a hidden email address during a sign-up process. You can preemptively go into the Hide My Email feature under your iCloud settings and create as many hidden email addresses as you want and then use them as needed.
It also frustrates me that people can use the Internet without leaving an easily traceable path back to the originator. I completely understand why it has to be this way, but it opens up so many opportunities for people who want to evade accountability for their actions to do so. Unfortunately when we fall back on human nature to discern good from evil, there will always be those who choose the latter option.