Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Special Features

Cybersecurity Month

Internet Archive user info stolen in cyberattack, succumbs to DDoS

31M folks' usernames, email addresses, salted-encrypted passwords now out there

Simon Sharwood Thu 10 Oct 2024  //  01:33 UTC

The Internet Archive had a bad day on the infosec front, after being DDoSed and having had its user account data stolen in a security breach.

On Wednesday afternoon US time the outfit’s digital librarian Brewster Kahle revealed a DDoS attack had made the site unavailable. The Register understands the maliciously caused outage may have lasted up to five hours.

While that was happening, data leak notification service Have I Been Pwned (HiBP) shared news of a cyberattack in which information on 31,081,179 archive user accounts appears to have been pilfered or accessed by one or more miscreants.

That info includes contact details and hashed passwords.

Register staff received mails from HIBP that state: “The breach exposed user records including email addresses, screen names and bcrypt password hashes.”

Kahle later confirmed the theft of the data, adding the service suffered a “defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords.”

Meaning someone was able to swipe the user records, and use a poisoned library to display this message to visitors: "Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened."

The org has disabled the vandalized JavaScript library, and is “scrubbing systems, upgrading security.”

Kahle offered no detail beyond that but promised to “share more as we know it.”

It is unclear if the DDoS and security breach are linked.

The Register sought comment from the online archive but had not received a response at the time of publication.

The two incidents continue an unhappy 2024 for the Internet Archive, which has lost a case regarding its right to lend digital assets, gone offline due to power failures, and endured other disruptive DDoS events. ®
Send us news
22 Comments

Anonymous Sudan isn't any more: Two alleged operators named, charged

Gang said to have developed its evilware on GitHub – then DDoSed GitHub

UK councils bat away DDoS barrage from pro-Russia keyboard warriors

Local authority websites downed in response to renewed support for Ukraine

Wanted. Top infosec pros willing to defend Britain on shabby salaries

GCHQ job ads seek top talent with bottom-end pay packets

Just how private is Apple's Private Cloud Compute? You can test it to find out

Also updates bug bounty program with $1M payout

Five Eyes nations tell tech startups to take infosec seriously. Again

Only took 'em a year to dish up some scary travel advice, and a Secure Innovation … Placemat?

Windows Themes zero-day bug exposes users to NTLM credential theft

Plus a free micropatch until Redmond fixes the flaw

Sophos to snatch Secureworks in $859M buyout: Why fight when you can just buy?

Private equity giant Thoma Bravo adds another trophy to its growing collection

The billionaire behind Trump's 'unhackable' phone is on a mission to fight Tesla's FSD

Dan O'Dowd tells El Reg about the OS secrets and ongoing clash with Musk

Millions of Android and iOS users at risk from hardcoded creds in popular apps

Azure Blob Storage, AWS, and Twilio keys all up for grabs

Beijing claims it's found 'underwater lighthouses' that its foes use for espionage

Release the Kraken!

Perfctl malware strikes again as crypto-crooks target Docker Remote API servers

Attacks on unprotected servers reach 'critical level'

Merde! Macron's bodyguards reveal his location by sharing Strava data

It's not just the French president, Biden and Putin also reportedly trackable