Internet Archive Data Breach Exposes 31 Million Accounts
Summary:
The Internet Archive, a nonprofit digital library known for providing free access to archived websites and digital materials, has been facing a distributed denial-of-service attack for three consecutive days, severely limiting users’ ability to access the site. Alongside this DDoS attack, a data breach was discovered, exposing 31 million user accounts, including email addresses, screen names, and bcrypt-hashed passwords. The breach occurred in September, and about half of the leaked email addresses were already associated with previous breaches. On Wednesday, users of the "Have I Been Pwned" service, which alerts individuals when their email addresses appear in a data breach, began receiving notifications about the Internet Archive breach. HIBP’s operator, Troy Hunt, was sent a copy of the stolen data on September 30 but only reviewed it on October 5 due to travel. He then alerted the Internet Archive about the breach on October 6. The stolen data was contained in a 6.4 GB SQL file named "ia_users.sql," timestamped on September 28, indicating the likely date the data was taken.
While reviewing the breach, some users visiting the Internet Archive website saw a message injected via JavaScript: "Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!" This message suggests someone accessed a JavaScript polyfill file on a subdomain of the Internet Archive. Polyfill files are used to support modern functionality in older web browsers, making this a possible entry point for attackers. However, it is still unclear whether the breach, the data leak, and the DDoS attacks are linked. A group calling itself "Sn_darkmeta" claimed responsibility for at least part of the DDoS attacks, stating that they were protesting the U.S. government's support of Israel. However, there has been no confirmation that this group is related to the data breach or the JavaScript injection.
Security Officer Comments:
Despite the breach, security experts point out that the Internet Archive used bcrypt to hash user passwords. Bcrypt is a slow hashing algorithm designed to resist brute-force attacks, making it much more difficult for attackers to crack passwords compared to faster algorithms like MD5 or SHA256. For example, brute-forcing an 8-character bcrypt-hashed password with a combination of upper and lowercase letters, numbers, and symbols could take 286 years, while a 12-character password would take 23 million years. However, shorter or simpler passwords could still be vulnerable to cracking. While users are advised to change their passwords once the site becomes accessible again, experts also warn about the possibility of password interception during the breach. If malware had been injected into the Internet Archive's infrastructure, attackers could have harvested passwords before they were hashed.
Suggested Corrections:
Researchers are advising users to adopt better password practices, including using complex passwords and avoiding reusing passwords across different websites. Even though bcrypt is highly secure, password reuse across multiple sites leaves users vulnerable to credential stuffing, where attackers use email and password combinations from one breach to try and gain access to other sites. Multifactor authentication is recommended as an additional layer of defense for users concerned about credential theft.
Link(s):
https://www.databreachtoday.com/internet-archive-data-breach-exposes-31-million-accounts-a-26498
The Internet Archive, a nonprofit digital library known for providing free access to archived websites and digital materials, has been facing a distributed denial-of-service attack for three consecutive days, severely limiting users’ ability to access the site. Alongside this DDoS attack, a data breach was discovered, exposing 31 million user accounts, including email addresses, screen names, and bcrypt-hashed passwords. The breach occurred in September, and about half of the leaked email addresses were already associated with previous breaches. On Wednesday, users of the "Have I Been Pwned" service, which alerts individuals when their email addresses appear in a data breach, began receiving notifications about the Internet Archive breach. HIBP’s operator, Troy Hunt, was sent a copy of the stolen data on September 30 but only reviewed it on October 5 due to travel. He then alerted the Internet Archive about the breach on October 6. The stolen data was contained in a 6.4 GB SQL file named "ia_users.sql," timestamped on September 28, indicating the likely date the data was taken.
While reviewing the breach, some users visiting the Internet Archive website saw a message injected via JavaScript: "Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!" This message suggests someone accessed a JavaScript polyfill file on a subdomain of the Internet Archive. Polyfill files are used to support modern functionality in older web browsers, making this a possible entry point for attackers. However, it is still unclear whether the breach, the data leak, and the DDoS attacks are linked. A group calling itself "Sn_darkmeta" claimed responsibility for at least part of the DDoS attacks, stating that they were protesting the U.S. government's support of Israel. However, there has been no confirmation that this group is related to the data breach or the JavaScript injection.
Security Officer Comments:
Despite the breach, security experts point out that the Internet Archive used bcrypt to hash user passwords. Bcrypt is a slow hashing algorithm designed to resist brute-force attacks, making it much more difficult for attackers to crack passwords compared to faster algorithms like MD5 or SHA256. For example, brute-forcing an 8-character bcrypt-hashed password with a combination of upper and lowercase letters, numbers, and symbols could take 286 years, while a 12-character password would take 23 million years. However, shorter or simpler passwords could still be vulnerable to cracking. While users are advised to change their passwords once the site becomes accessible again, experts also warn about the possibility of password interception during the breach. If malware had been injected into the Internet Archive's infrastructure, attackers could have harvested passwords before they were hashed.
Suggested Corrections:
Researchers are advising users to adopt better password practices, including using complex passwords and avoiding reusing passwords across different websites. Even though bcrypt is highly secure, password reuse across multiple sites leaves users vulnerable to credential stuffing, where attackers use email and password combinations from one breach to try and gain access to other sites. Multifactor authentication is recommended as an additional layer of defense for users concerned about credential theft.
Link(s):
https://www.databreachtoday.com/internet-archive-data-breach-exposes-31-million-accounts-a-26498