Update, October 15: Yesterday, the Wayback Machine went offline again, and the organization says it is currently read-only, with no ability to update. It also says the site may have to be taken offline for further maintenance.
The organization has confirmed a data breach at the Internet Archive, which has also been hit by distributed denial-of-service (DDoS) attacks. The Wayback Machine home was previously attacked in May.
At this point, the security breach and the DDoS attacks are not believed to be related, although the timing certainly seems odd.
Internet Archive Data Breach
The security breach was first reported by Bleeping Computer.
The Internet Archive ’s “The Wayback Machine” suffered a data breach after an attacker hacked the website and stole a user authentication database containing 31 million unique records […]
The attacker shared the Internet Archive authentication database nine days ago, and it is a 6.4GB SQL file named “ia_users.sql.” The database contains authentication information about registered participants, including their email addresses, screen names, password change timestamps, Bcrypt hashed passwords, and other internal data.
The identity of the attacker is unknown, but they created a JavaScript alert on the site to announce the attack.
HIBP is a reference to Have I Been Pwned, a site created by security researcher Troy Hunt to let people know if their data had been exposed in a security breach. Hunt himself confirmed that the data breach was real.
The Internet Archive acknowledged the breach today.
What we know: DDOS attack, so far repelled; defaced our site using a JS library; hacked usernames/emails/encrypted passwords.
What we did: Disabled the JS library, cleaned up the systems, updated the security.
DDoS Attack
The archive also cited a DDoS attack that took the site down for a period of time.
A group known as SN_Blackmeta claimed responsibility for the attack, posting a confusing, anti-Semitic message about the archive being “owned by the US,” as if it were a government project.
The Internet Archive has been and continues to be subject to a devastating attack. We have carried out several very successful attacks over the course of five long hours, and at this point all of their systems are completely down […]
They are being attacked because the archive is owned by the United States, and as we all know, that horrible and hypocritical government supports the genocide being perpetrated by the terrorist state of Israel.
The tweet was liked by X users:
The Internet Archive is a non-profit organization dedicated to archiving information that can be used by anyone in the world. The archive also has many resources on Palestine that we can no longer access because of this attack.
The Internet Archive is also suffering from legal troubles
The archive has also faced legal troubles, losing a lawsuit last month that accused it of copyright infringement, as Wired reported at the time.
The U.S. Court of Appeals for the Second Circuit has ruled against a long-running digital archive, upholding an earlier decision in Hachette v. Internet Archive, which found that one of the Internet Archive's book digitization projects violated copyright law.
Notably, the appeals court's ruling rejected the Internet Archive's argument that its book lending practices were protected by the fair use doctrine, which allows for copyright infringement under certain circumstances, calling it “unpersuasive.”
In March 2020, the Internet Archive, a San Francisco-based nonprofit, launched a program called the National Emergency Library (NEL). With library closures caused by the pandemic depriving students, researchers, and readers of access to millions of books, the Internet Archive said it was responding to calls from regular people and other librarians to help those at home access the books they need.
The organization essentially replicated what The Open Library had been doing legally, but removed the restriction that only one person could borrow a digital copy of a book at a time. It later reinstated the restriction, but by then it had already been sued.
It also faces a second lawsuit from a group of music labels seeking $400 million in damages for copyright infringement, which could bankrupt the organization.
Photo: Shahadat Rahman on Unsplash
