'Catastrophic' security breach as 31,000,000 passwords are stolen in Internet Archive hack

The Internet Archive Wayback Machine is a fundamental area of the Internet as we know it.

With some of the biggest search engines being almost unusable, or now just regurgitating AI slop, being able to find old pages, especially for sites that no longer exist, is a lifesaver.

Not to mention a great step forward in the effort of preservation.

Yes, even those Angelfire and Geocities fan sites of the 90s, with their low-resolution gifs and guestbook counters deserve to be preserved.

Sadly, just like any area of the internet, the Internet Archive isn’t free of being at the mercy of nonsense hackers.

As of typing, the Internet Archives Way Back Machine has been the target of a DDoS attack, and around 31 million passwords have been compromised.

The DDoS (Distributed Denial of Service) attack was confirmed by Internet Archive founder Brewster Kahle on October 10th, 2024. Kahle took to X (formerly Twitter) to update fans, and internet users alike and state that the website had been ‘defaced’ via a JavaScript library.

The attack was first discovered by visitors of the Way Back Machine on Wednesday October 9th. Those who visited the site were greeted with a JavaScript pop-up which read, 'Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!'

The 'HIBP' acronym, in this case, likely refers to the site 'Have I been Pwned', a website which anyone can use to look up if their own personal date had been involved in a cyberattack.

As reported by Forbes, Founder of HIBP, Troy Hunt had reported to Bleeping Computer, that the hacker shared a databse with them containing 6.4GB worth of data.

The stolen data contains a timestamp of September 28th, 2024, a clue to when the data may have been stolen. (Witthaya Prasongsin via Getty images.)

This data consisted of info for registered members of the Internet Archive Way Back Machine, including email addresses, screen names, password change timestampes, Bcrypt-hashed password and 'other internal data'.

It was here, to Bleeping Computer, that Hunt confirmed that 31 million email addresses, were involved in the breach.

As of typing, the pop up no longer exists. In fact, the entire Internet Archive Way Back Machines is currently not even functional.

Kahle states that those behind the DDoS attack have knocked both archive.org and openlibrary.org, offline. To be 'cautious', Internet Archive is prioritising keeping any data safe, and is also currently not available.

Internet Archive founder, Brewster Kahle, is posting updates on the databreach as it unfolds. (Westend61 via Getty images.)

If you're worried about your data, or want to keep up to date on the situation, Kahle stated he will 'share more' about the situation as it unfolds on his X account.

You can also check if your data has been affected by checking your email on the Have I Been Pwned website.

• FBI confirms 630,000,000 passwords stolen in major data breach
• Google issues warning as 48M Gmail logins are stolen in major breach
• Urgent warning issued to public as 16,000,000,000 passwords are leaked in 'biggest data breach ever'
• Horrifying report reveals 14,000 US security cameras are livestreaming creepy footage to the entire internet