The Internet Archive is under attack, with a breach exposing information on 31 million accounts

When I visited the Internet Archive (www.archive.org) on ​​Wednesday afternoon, The edge was greeted by a pop-up window saying the site had been hacked.

Here's what the popup said:

“Have you ever felt like the Internet Archive is on hold, constantly on the verge of a catastrophic security breach? It just happened. See 31 million of you on HIBP!”

HIBP refers to Have I Been Pwned?, a website where people can look up whether or not their information has been published in cyber-leaked data. HIBP operator Troy Hunt confirmed this Beeping computer that nine days ago he obtained a file containing “email addresses, screen names, password change timestamps, Bcrypt hashed passwords and other internal data” for 31 million unique email addresses and verified its validity by comparing the data with the Verified a user's account.

A tweet from HIBP said 54 percent of the accounts were already in its database from previous violations. In posts to his account, Hunt provided further details about the timeline, from contacting the IA about the breach on October 6th and continuing the disclosure process to having their website defaced and suspected of DDoS today, all while preserving the data have loaded data into HIBP to notify affected users.

After closing the message, the page loaded normally, albeit slowly. It's unclear what happened to the site, but attacks on services like TweetDeck have exploited XSS or cross-site scripting vulnerabilities with similar effects.

As of 5:30 p.m. ET, the popup was gone, but the rest of the site was gone too. It left either nothing or a placeholder message saying “Internet Archive Services is temporarily offline” and redirected visitors to the site's account on X to receive updates.

Jason Scott, archivist and software curator at The Internet Archive, said the site was the victim of a DDoS attack, posting on Mastodon: “According to Twitter, they're just doing it to do it.” Simply because they can. No statement, no idea, no demands.” Separately, the IA's Brewster Kahley wrote: “Yesterday's DDOS attack on @internetarchive was repeated today. We are working on getting http://archive.org back online.” Neither mentioned the breach.

An account on The account also posted about DDoS attacks on the archive in May, and Scott has previously posted about attacks apparently aimed at disrupting the Internet Archive.

We have contacted the organization for more information.

Update, October 9th: Information from HIBP and added BleepingComputer Confirmation of a violation.