Data Breach, DDoS Attacks Take Internet Archive Offline

Key Takeaways

  • The massive 57-petabyte Internet Archive has been hit by a data breach, website defacement, exfiltration and DDoS attacks in recent days.
  • The breach and DDoS attacks so far appear unconnected.
  • A copy of a user authentication database containing the email addresses and credentials of 31 million users has been provided to Have I Been Pwned.
  • The attackers have faced criticism for attacking a nonprofit whose goal is to preserve knowledge.
  • Questions have been raised about Archive’s handling of JavaScript, which appears central to the breach.
  • As of now, Archive.org and Open Library are offline, and recovery efforts are expected to take “days, not weeks.”

Overview

The Internet Archive has taken its Archive.org and OpenLibrary.org sites offline in response to a data breach and repeated DDoS attacks.

The breach of a user authentication database, which exposed the email addresses and credentials of 31 million users, likely occurred on Sept. 28, as that is the most recent date in a 6.4GB SQL file provided to Troy Hunt of Have I Been Pwned. Archive users did not become aware of the breach until two days ago, when a JavaScript alert appeared on the site that read, “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!”

Internet Archive founder Brewster Kahle confirmed the attacks and website defacement in a Tweet on October 9: “DDOS attack–fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords. What we’ve done: Disabled the JS library, scrubbing systems, upgrading security.”

Archive attack confirmed

The DDoS attacks returned yesterday, and Archive and Open Library were taken offline, opting for “being cautious and prioritizing keeping data safe at the expense of service availability.”

In an update today, Kahle said: “The data is safe. Services are offline as we examine and strengthen them. Sorry, but needed. @internetarchive staff is working hard. Estimated Timeline: days, not weeks.”

In the meantime, this notice appears on the Archive home page, and the Open Library site was down at the time of publication:

Archive offline

Breach and DDoS Attacks May Not Be Linked

Shortly after the breach became public, the DDoS attacks were launched by the threat actor group SN_BLACKMETA. In an alert to clients, Cyble said there is as of yet no evidence that the breach and DDoS attacks are related.

“There is no correlation whether the threat actor group SN_BLACKMETA who is behind the DDoS attacks is the same group that also breached Internet Archive,” Cyble said in the alert.

SN_BLACKMETA appears to misunderstand the nature of the non-governmental, non-profit Internet Archive, as the threat group stated as its motive for the attacks that “the archive belongs to the USA, and as we all know, this horrendous and hypocritical government supports the genocide that is being carried out by the terrorist state of “Israel”.”

Blackmeta

Commenters on Twitter and apparently even in the group’s own Telegram channel (now taken down) criticized targeting the Internet Archive, which has preserved a vast amount of data and records on a small budget. At last count, the Archive contained 57 petabytes of data and more than 866 billion web pages across four data centers in its mission to provide “universal access to all knowledge.”

On Mastodon, independent cybersecurity researcher Kevin Beaumont said, “that isn’t sticking it to some evil multinational, it’s attacking a genuinely great resource run on near nothing resource, sweat and tears. If you’re going to attack things – please aim better.”

Archive Website Security Questioned

In the wake of the attacks, questions are being raised about the Internet Archive’s website security, which allowed a breach, exfiltration, defacement and DDoS attacks within a short time period.

“A Website as large as archive.org should be able to isolate hashed passwords from public accessible Javascript,” one commenter noted. “Wikipedia makes extensive use of Javascript. As far as i know, Javascript is disabled on preferences pages and login Pages.”