The Internet Archive appears to be the victim of multiple, targeted attacks that have impacted at least 31 million individuals.
The Internet Archive, founded by Brewster Kahle, is a non-profit that provides access to historical materials and information once available online. Recently, its “Wayback Machine,” estimated to hold over 860 billion now-extinct web pages, faced a massive data breach.
According to the Bleeping Computer, the breach was first recognized on October 9th, when visitors to archive.org began seeing a JavaScript alert from the hacker that read, “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!”
HIBP, or Have I Been Pwned, is a breach notification service threat actors commonly share stolen data with. HIBP’s creator, Troy Hunt, confirmed that the threat actor had shared the Internet Archive’s authentication database with the organization. Information included email addresses, screen names, password change timestamps, hashed passwords, and other internal data.
Based on when the data was given to HIBP, it’s believed the records were first stolen on September 28th.
Since then, The Internet Archive has been the target of a second attack, which resulted in both archive.org and openlibrary.org being taken offline. In another attack on October 20th, their Zendesk support email was breached.
It’s believed that the data may have been breached through stolen access tokens. Currently, The Internet Archive remains unavailable as their tech team works to secure the system.
Targeted breaches like this can be alarming because it can be difficult for an organization to respond to multiple attacks. In this case, it’s unclear if the attacks originated from one actor, or were the result of multiple threat actors attacking in a similar time frame.
In this case, hackers boasted that the Internet Archive’s cybersecurity system was weak. As attackers become more skilled, cybersecurity that used to be effective may no longer be sufficient against evolving threats.
Data breaches like these can open up organizations to a host of problems, from class action lawsuits to penalties from regulatory organizations. The best strategy is to have a robust cybersecurity system from the beginning.
Related: HIPAA Compliant Email: The Definitive Guide