Internet Archive suffers major data breach, 31 million users affected
What's the story
In a major data breach, non-profit digital library Internet Archive has been compromised, affecting some 31 million users.
The breach was first reported via an unauthorized JavaScript pop-up on the site.
Subsequently, Troy Hunt, a well-known security researcher and founder of data-breach-notification website Have I Been Pwned (HIBP), confirmed its authenticity.
Hours later, the organization also confirmed the hack.
Information compromised
Breach details and Internet Archive's response
The data breach occurred in September, compromising 31 million unique email addresses along with usernames, bcrypt password hashes, and other system data.
The breach perpetrators even taunted the Internet Archive in their pop-up message saying, "Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened."
DDoS attacks
Internet Archive faces additional security threats
Along with the data breach, the Internet Archive has also been facing a series of distributed denial-of-service (DDoS) attacks that have sporadically disrupted its services.
Jason Scott, an archivist and software curator for The Internet Archive, confirmed these attacks on social media.
The hacktivist group known as BlackMeta has claimed responsibility for the DDoS attacks and threatened to launch more against the digital library.
Countermeasures
Founder addresses breach and outlines response measures
In the wake of the security incidents, Internet Archive founder Brewster Kahle issued a public update.
He confirmed a DDoS attack, website defacement through a JavaScript library, and breach of usernames/email/salted-encrypted passwords.
As countermeasures, the organization has disabled the compromised JavaScript library and is currently scrubbing systems and enhancing security.
Notification process
HIBP's role in breach notification and future plans
Hunt from HIBP, who first received the stolen Internet Archive data on September 30, reviewed it on October 5 and alerted the organization about it on October 6.
The group confirmed the breach to him the next day.
Hunt planned to upload this data into HIBP and inform its subscribers about the breach.
Despite encouraging early public disclosure of the data breach, he acknowledged that extenuating circumstances may have caused a delay in this process.