An illicit JavaScript popup on the Internet Archive proclaimed on Wednesday afternoon that the site had suffered a major data breach. Hours later, the organization confirmed the incident.
Longtime security researcher Troy Hunt, who runs the data breach notification website Have I Been Pwned (HIBP), also confirmed that the breach is legitimate. He said that it occurred in September and the stolen trove contains 31 million unique email addresses along with usernames, bcrypt password hashes, and other system data. Bleeping Computer, which first reported the breach, also confirmed the validity of the data.
The Internet Archive did not yet return multiple requests for comment from WIRED.
“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach?” the attackers wrote in Wednesday’s Internet Archive popup message. “It just happened. See 31 million of you on HIBP!”
In addition to the breach and site defacement, the Internet Archive has been grappling with a wave of distributed denial-of-service attacks that have intermittently brought down its services.
Internet Archive founder Brewster Kahle provided a public update on Wednesday evening in a post on the social network X. “What we know: DDOS attack–fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords. What we’ve done: Disabled the JS library, scrubbing systems, upgrading security. Will share more as we know it.” “Scrubbing systems” refer to services that offer DDoS attack protection by filtering malicious junk traffic so it can’t deluge and disrupt a website.
The Internet Archive has faced aggressive DDoS attacks numerous times in the past, including in late May. As Kahle wrote on Wednesday: “Yesterday’s DDOS attack on @internetarchive repeated today. We are working to bring http://archive.org back online.” The hacktivist group known as “BlackMeta” claimed responsibility for this week’s DDoS attacks and said it plans to carry out more against the Internet Archive. Still, the perpetrator of the data breach is not yet known.
The Internet Archive has faced battles on many fronts in recent months. In addition to repeated DDoS attacks, the organization is also facing mounting legal challenges. It recently lost an appeal in Hachette v. Internet Archive, a lawsuit brought by book publishers, which argued that its digital lending library violated copyright law. Now, it’s facing an existential threat in the form of another copyright lawsuit, this one from music labels, which may result in damages upwards of $621 million if the court rules against the archive.
HIBP’s Hunt says that he first received the stolen Internet Archive data on September 30, reviewed it on October 5, and warned the organization about it on October 6. He says the group confirmed the breach to him the next day and that he planned to load the data into HIBP and notify its subscribers about the breach on Wednesday. “They get defaced and DDoS’d, right as the data is loading into HIBP,” Hunt wrote. “The timing on the last point seems to be entirely coincidental.”
Hunt added, too, that while he encouraged the group to publicly disclose the data breach itself before the HIBP notifications went out, the extenuating circumstances may explain the delay.
“Obviously I would have liked to see that disclosure much earlier, but understanding how under attack they are, I think everyone should cut them some slack,” Hunt wrote. “They’re a non-profit doing great work and providing a service that so many of us rely heavily on.”