Tue Oct 15 12:46:20 UTC 2024: ## Hackers Steal 31 Million Passwords from Internet Archive, Launch Massive DDoS Attack
In a major security breach, hackers have compromised the Internet Archive’s Wayback Machine, stealing personal data of 31 million users and launching a massive Distributed Denial of Service (DDoS) attack.
The hackers gained access to the Internet Archive’s authentication database, containing email addresses, usernames, password change timestamps, and Bcrypt-hashed passwords. The stolen database was shared with Have I Been Pwned, a data breach notification service, on September 18th, suggesting the breach occurred around that date.
The breach was initially discovered through a JavaScript alert popup on the archive.org site, warning users of the data theft. The website was subsequently defaced and repeatedly knocked offline by the DDoS attack.
While the connection between the data breach and the DDoS attack remains unclear, experts believe the same threat actor may be responsible.
Security experts have praised the Internet Archive’s use of Bcrypt for hashing passwords, which makes it difficult to extract plain text passwords. However, the stolen database still poses a risk, as stolen passwords can be cross-referenced against previous uses, even if encrypted.
The Internet Archive has taken steps to mitigate the damage, including disabling the compromised JavaScript library, scrubbing systems, and upgrading security measures.
The pro-Palestinian hacktivist group Black Meta has claimed responsibility for the DDoS attacks, but the identity of the group behind the data breach remains unknown.
This developing story highlights the increasing vulnerability of online platforms, emphasizing the importance of strong password security and multi-factor authentication.
First Piper 