Internet Archive Hacked, 31 Million Record Compromised

The Internet Archive was hacked this afternoon and the site defaced with a heart-sinking message that that claims 31 million records have been compromised:

Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!

Have I Been Pwned (HIBP) creator Troy Hunt confirmed to BleepingComputer that the threat actor shared the compromised database nine days ago, a 6.4GB SQL file named "ia_users.sql." The last timestamp on the records is September 28, 2024. Hunt confirmed there are 31 million unique email addresses in the database, although 54% of them already exist in HIBP. He contacted users listed in the database and confirmed the data was real. Hunt plans to add the data to HIBP so users can check to see if their data was exposed in this breech.

Two hours ago, the Internet Archive published an update to X, pointing to a message about the service having been under a DDoS attack this week. Such an attack may have been difficult to discern as the archive's painfully slow performance is nearly indistinguishable from a site under a DDoS attack. They have not yet directly addressed the defacement or given any more information on attack’s entry point.

This news evoked a visceral reaction from commenters, as the Internet Archive is considered one of the cornerstones of the internet. Most people commenting on the compromise were more worried about the historical data and infrastructure than the stolen emails, underlining the immense value users place on the archive's preservation efforts.

Many are hoping that the hack is merely a case of stored cross-site scripting (XSS), as opposed to a more severe security breach involving unauthorized access to sensitive data or extensive system compromise.

Commenters on X and Reddit speculated that the defacement originated from a malicious polyfill, referencing the Polyfill[.]io supply chain attack from earlier this year.

Others have speculated that the attack may have been orchestrated by a sponsored group, given the significant number of individuals who oppose the permanent preservation of certain information on the Internet Archive. Many are uncomfortable with the notion that truthful data remains accessible indefinitely and would prefer its removal.

Internet Archive has not yet confirmed the details of the breach and vx-underground reports no threat actors have taken credit for the compromise. The site appears to be functioning normally at the time of publishing, and more comprehensive details regarding the breach are expected to be provided soon.

UPDATE: Internet Archive confirms the website was defaced via a JS library, which has now been disabled: