The Internet Archive, under siege: cyberattackers have returned to the fray after stealing data from 31 million accounts

The Internet Archive, the nonprofit initiative dedicated to preserving a wide variety of content, such as web pages, books, images and videos, is going through a difficult time. Earlier this month, cyber attackers managed to infiltrate the platform’s systems, disrupting its operation and stealing data. Days have passed and the extent of the original incident is still unclear. The reason? Malicious actors are back at it.

The original incident. Everything seemed to be working normally last Wednesday, October 9, but things got complicated from one moment to the next. www.archive.org it stopped working. When you entered the page, instead of seeing its classic welcome page, you found the following message: “Don’t you get the feeling that Internet Archive works precariously and is always on the verge of a serious security breach? Well, it has happened. 31 million of you are on HIBP!”

Someone unauthorized had managed to bypass all of The Internet Archive’s security measures to publish the message and had apparently stolen the credentials. To support their claim, the group behind the attack cited HIBP as a reference. This is Have I Been Pwned, an initiative that allows people to know if their email address or phone number has been compromised in a breach. Although to do this they must be included in your database.

The Internet Archive login page

The creator of HIBP, Troy Hunt, confirmed that On September 30, he had received information about the breach. It was a 6.4GB SQL file called “ia_users.sql” containing login information for millions of Internet Archive users, including email addresses and Bcrypt hashed passwords. Indeed, the attackers had stolen information from the Internet Archive, compromising the security of users, but there was more.

DDoS attack and more stolen data. Although Internet Archive’s systems had been previously compromised, cybercriminals announced it on October 9, followed by a DDoS attack that prevented users from changing their passwords (now that the page is working it is advisable to change the password). Internet Archive’s Brewster Kahle confirmed the incident and said they would carry out a series of measures to restore the platform’s functioning and improve security.

Over the past weekend, cybercriminals are back at it. Several Reddit users pointed out who received a suspicious email from The Internet Archive Team support service. We are talking about the means of communication that anyone has with Internet Archive to ask questions or, for example, request the removal of a site from their archive. The attackers claimed they had access to support tickets managed through the Zendesk platform.

“It is frustrating to see that, even though we were notified of the breach two weeks ago, Internet Archive is still not taking the necessary steps to rotate the leaked API keys in its GitLab,” the message said. If this turns out to be true, the fact that attackers have access to an official means of contact is not good news. This resource could be used to mount very effective phishing campaigns, that is, those in which a third party pretends to be a legitimate organization.

An organization with a limited budget. The Internet Archive has more than 30 years of history and is a valuable treasure of the digital age in which we live. It offers us a glimpse into the past in a few clicks, but also preserves much content that is not accessible in any other way. Now, we are talking about an organization that, according to its founderdid not prioritize investing in cybersecurity due to its limited budget of between $20 and $30 million a year.

Images | The Internet Archive | Screenshots

In Xataka | Passkeys that want to bury our passwords have a big problem. We may have found the solution