A group linked to a pro-Palestinian hacktivist movement has launched a catastrophic cyberattack that exposed the data of 31 million people and compromised their email addresses and pseudonames.

An account on The Internet Archive is known for its digital library and the Wayback Machine. SN_BlackMeta was previously linked to an attack on a financial institution in the Middle East earlier this year, and a security firm has linked it to a pro-Palestinian hacktivist movement.

Encrypted passwords were also exposed. Although these are relatively secure, users have been advised to change their passwords. And an expert told it Newsweek Individuals should avoid browsing or using files obtained from the site until the all clear is given.

This breach was accompanied by a series of distributed denial-of-service (DDoS) attacks that temporarily brought down the organization's website, archive.org, on Wednesday and continue to impact the site. Wayback Machine is also currently inaccessible.

Brewster Kahle, founder and digital librarian of the Internet Archive, confirmed the breach and acknowledged the ongoing DDoS attacks.

In a post on: The JS library has been disabled, systems have been cleaned, and security has been improved. We will share more as we know.

Newsweek I DMed Brewster Kahle on X for further comments.

The digital library Internet Archive was founded in 1996 with the aim of providing “universal access to all knowledge”. It stores billions of web pages, text, audio recordings, videos and software applications.

The most commonly used service is the Wayback Machine, a tool that allows users to browse archived versions of websites as they appeared at various points in history, with snapshots of web pages dating back to the early days of the Internet.

On October 9, visitors to the Internet Archive website saw a pop-up message indicating that the site had been hacked. The message read: “Have you ever felt like the Internet Archive is running on sticks, constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!”

The reference to HIBP refers to Have I Been Pwned?, a widely used service that allows individuals to verify whether their personal information has been compromised in known data breaches.

Troy Hunt, founder of HIBP, confirmed to Bleeping Computer that he had obtained a database of email addresses, screen names, bcrypt hashed passwords and other internal data for 31 million unique email addresses linked to the Internet Archive are connected.

Hunt reached out to X to clarify the situation and confirmed his communications with the Internet Archive regarding the breach. He wrote: “I've been talking to the Internet Archive about the data breach over the last few days and didn't know the site had been defaced until people just started flagging it with me. More soon.”

Hunt also mentioned that 54 percent of compromised email addresses already existed in the HIBP database due to previous breaches.

In the eight hours since Kahle's post, Archive.org appears to be unavailable again.

“Based on publicly available evidence, the site has been thoroughly compromised. Their database was exfiltrated, suggesting that the back-end infrastructure was accessible, and their pages were defaced, suggesting that the attackers have some level of control over the web content provided to users,” said Jason Meller, VP of Product at 1Password Newsweek.

“In addition, the website was repeatedly taken offline, indicating that the attackers have gained dominance at the network layer. This is undoubtedly a difficult and challenging time for the archive, a resource on which many of us rely,” he added.

“Given the seriousness of this breach and until they have had time for a full investigation, I strongly recommend that you avoid browsing or using the files obtained from the site until the all clear has been given,” Meller said.

Involvement of the hacker group SN_BlackMeta

SN_BlackMeta, which claimed responsibility for the attack, has previously been linked to other cyberattacks, including a record-breaking DDoS attack against a financial institution in the Middle East earlier this year.

The hacktivist group, which emerged in November 2023 and previously launched a DDoS attack on the Internet Archive in May 2024, attacked the Middle Eastern financial institution for six days using a new DDoS rental service called InfraShutdown.

Cybersecurity company Radware linked SN_BlackMeta to a pro-Palestinian hacktivist movement that uses DDoS-for-hire services such as InfraShutdown.

SN_BlackMeta wrote in posts on October 9th

The account added: “ “second round | New attack. 09/10/2024 Duration 6 hours” with a link to a series of status reports on check-host.net showing several connection timeouts for the Internet Archive.

In a community note accompanying this post, “The archive is not a U.S. government but a nonprofit organization that contains many resources about Palestine that we are now unable to access due to this attack.”

“Sophisticated DDoS attacks like the one The Internet Archive just suffered are often politically motivated,” Meller said.

Although SN_BlackMeta has openly claimed responsibility for the recent DDoS attack on the Internet Archive, Meller says: “While SN_BlackMeta has hinted at involvement in the data breach that occurred more than a week earlier, it is currently unclear whether they were actually responsible for this one attack or defacement of the website, which occurred on the same day as the DDoS attack.”

Newsweek asked SN_BlackMeta via X for comment.

Details of the data breach in the Internet Archive

Internet Archive users subscribed to Have I Been Pwned were made aware of the data breach late Wednesday evening when they received an email titled “You are one of 31,081,179 people affected by the Internet Archive data breach.” “goods” received.

The email told them that “in September 2024, the Internet Archive digital library suffered a data breach that exposed 31 million records. The breach exposed user records, including email addresses, usernames and bcrypt password hashes.”

The compromised data was apparently obtained by exploiting a JavaScript library used by the Internet Archive, which allowed the attacker to deface the website and display the pop-up message.

The database, a 6.4GB SQL file named “ia_users.sql,” contains records through September 28, 2024, suggesting the breach occurred around that time.

Cybersecurity researcher Scott Helme confirmed the validity of the data after matching his own account information with the details in the leaked database. Helme found that the bcrypt hashed password in the data matched the hashed password stored in his password manager, and the timestamps matched his records.

Bcrypt hashed passwords are passwords that are converted into a secure, encrypted format using the bcrypt algorithm. This method makes it extremely difficult for anyone who comes into possession of the hashed passwords to discover the original passwords, thereby keeping your actual password more secure.

What This Means for Internet Archive Users

The breach poses a significant problem for users who have registered accounts with the Internet Archive. Information exposed includes email addresses, usernames and bcrypt hashed passwords.

Although bcrypt is a strong hashing algorithm, users are advised to change their passwords as a precaution, especially if they use the same password on other websites.

Due to the DDoS attacks, the Internet Archive website experienced significant downtime, with services temporarily offline. The organization directed users to their social media accounts for updates during the outage.

The Internet Archive has been the target of cyberattacks in the past. In May, the same group claimed responsibility for DDoS attacks aimed at disrupting the archive's services. Jason Scott, archivist and software curator at the Internet Archive, commented on the attacks, noting that they appeared to be carried out “just because they could.”

Update 10/10/2024 at 11:01 a.m.: This story has been updated to include expert commentary from Jason Meller, VP of Product at 1Password.