Hands on keyboard showing data breach of Internet Archive

Internet Archive Data Breach Compromises Credentials, Pro-Palestinian Hacktivist Group Claims Credit for Follow-Up DDoS Campaign

The Internet Archive has been under heavy attack in the past week, suffering both a major data breach and a series of potent DDoS attacks that have taken it offline.

A known hacking group has stepped up to claim credit for the latter as an act of “hacktivism” in support of Palestine, though this group appears to be new to its association with Middle East politics. Questions have also been raised about whether the data breach and DDoS attacks involve multiple parties acting independently.

Internet Archive suffers chain of attacks, Wayback Machine credentials compromised

The data breach involves the “Wayback Machine” maintained by the Internet Archive, a free service that archives web pages and that has seen more use than ever in recent weeks as Google has put an end to its search engine’s page caching service. The hackers stole an SQL file used for user authentication, containing some 31 million entries. Usernames connected to email addresses and hashed passwords were exposed, presumably for all current and past registered members of the site.

The data breach appears to have taken place on September 28, based on the timestamp of the stolen records. The attacker shared the file on an underground forum, and it has since been added to the “Have I Been Pwned” (HIBP) database. They also took it upon themselves to notify the Internet Archive and its users of the compromise, putting up a JavaScript alert claiming that the site “runs on sticks” and that the 31 million records would soon be added to HIBP.

That data breach was followed on by a series of DDoS attacks, which the “BlackMeta” group was quick to claim credit for. This group has previously attacked a number of different targets in similar fashion: NSO Group (the Israeli creator of the Pegasus commercial spyware), Europol, and the Arab National Bank among them. The attacks that it associates with pro-Palestine politics have taken place since August of this year, and the group appears to be using DDoS-for-hire services to launch them rather than its own infrastructure.

The Internet Archive confirmed the data breach on October 10, and said that an initial DDoS attempt was fended off. But more DDoS attacks came rolling in the next day, severe enough to keep the archive.org and openlibrary.org domains offline for a sustained amount of time. BlackMeta’s prior attack on Arab National Bank ran for six days, setting a record for DDoS attack duration.

Data breach leaves unanswered questions

As of this writing, the Internet Archive has come back online in a “provisional” read-only format. Users are unable to upload new material or use the “Save Page Now” feature to archive snapshots of current pages, and founder Brewster Kahle has warned (via X updates) that the site still requires further maintenance and might see temporary suspensions in relation to this.

It is still not clear if there is any direct connection between the mass data breach and the follow-on DDoS attacks. BlackMeta, which has been known solely for its similar DDoS antics in recent history, has not indicated that it is behind or affiliated with the stolen records. The group’s claim to have done it in support of Palestine tracks with its other supposed hacktivist actions in the past two months, but on X it specifically said that the Internet Archive was attacked because it “belongs to the USA.” If BlackMeta was not the group that stole the user credentials, it appears to have been someone similarly not interested in profiting from the attack as the full data was dumped to the public very shortly after the incident.

It is an understatement to say that the timing for such a damaging attack is inopportune for the Internet Archive. Started by Kahle as a personal project years ago, it has grown to encompass some 866 billion web pages including tens of millions of books and videos. In some cases it is the sole source of internet materials that have since become unavailable anywhere else, and is particularly useful in looking up articles that have been removed from media sites or that may have been altered without notification.

The data breach and DDoS attacks are highly unlikely to put down the Internet Archive, but the site has faced some potentially existential legal threats as of late. It recently lost an appeal in a case that could eliminate its ability to serve as a virtual lending library for books that are still under copyright, and a collection of music labels has taken it to court seeking hundreds of millions of dollars under allegations of it knowingly hosting their protected works.

Adam Brown, Managing Consultant at Black Duck Software, notes that though the Internet Archive is the world’s central source of internet history it is nevertheless much more like a small business in terms of security posture and capability: “The Wayback machine may well run on metaphorical ‘sticks’ and as a smaller business it may not have the same level of security that large organisations have, however there are some security practices here that have helped limit the blast radius. The use of Bcrypt for one, if implemented correctly will prevent the extraction of passwords. Bcrypt is a hashing mechanism and while hashes can be looked up if common passwords are used, if the hash is salted as it is with Bcrypt, this largely prevents the use of hash look up tables. It’s not clear from the article how the SQL database was stolen in the first place however, so we can assume there is likely lacking or misconfigured security controls around access to it.”