The Internet Archive Has Been Hacked

There are a great many organizations out there, all with their own intentions—some selfish, some selfless, some that land somewhere in between. Most would put the Internet Archive in the category of the library—with its aim of preserving and providing knowledge for the aid of all who might call on it. Sadly, as [theresnotime] reports, it appears this grand institution has been hacked.

On Wednesday, users visiting the Internet Archive were greeted with a foreboding popup that stated the following:

Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!

The quote appears to refer to Have I Been Pwned (HIBP), a site that collates details of security breaches so individuals can check if their details have been compromised.

According to founder Brewster Kahle, the site was apparently DDOS’d, with the site defaced via a JavaScript library. It’s believed this may have been a polyfill supply chain attack. As for the meat of the hack, it appears the individuals involved made off with usernames, emails, and encrypted and salted passwords. Meanwhile, as Wired reports, it appears Have I Been Pwned first received the stolen data of 31 million users on September 30.

At the time of writing, it appears the Internet Archive has restored the website to some degree of normal operation. It’s sad to see one of the Internet’s most useful and humble institutions fall victim to a hack like this one. As is always the way, no connected machine is ever truly safe, no matter how much we might hope that’s not the case.

[Thanks to Sammy for the tip!]

33 thoughts on “The Internet Archive Has Been Hacked

  1. If there truly is a significant subculture of people out there fitting anything close to the media’s description of a ‘hacker’… I would think whoever did this would be a very juicy target now.

  2. Dunno why linking around to some other sites to load code is acceptable anyways.

    “But JavaScript is safe, it cannot do any harm to your computer” said my college few days ago.

    1. Indeed. And the vast majority of websites have no good reason to use scripting at all, much less the common horror of hundreds or thousands of Javascript libraries of uncertain provenance and quality.

      Sites that use scripting to offer an improved UX should degrade gracefully if scripts are blocked, and should host scripts locally. Yes, that means you don’t get updates automatically; that’s a Good Thing. It’s the site maintainer’s responsibility to track updates to their dependencies, and promptly review them and install them if they’re legitimate.

      Your Javascript framework has so many transitive dependencies that such an approach is infeasible? Then don’t use that framework. It’s not fit for purpose.

      The software industry is a mess, and the quintessential example is the use of Javascript frameworks and libraries.

      1. It’s not the scripting itself, it’s the libraries and frameworks and crap that get complicated. It’s a pretty poor experience making a site perform actions purely by e.g. submitting forms with no javascript. (So that at least the server can run actual code and do something useful for a change) You can just barely do a few things you used to need scripts for by using modern CSS, but otherwise you’ll need at least a line or two of javascript from time to time. Well, unless you’re purely using the web for hosting documents you’ve marked up, but that’s not what most of these sites do anymore.

    1. I learned about archive by reading articles about famous people posting something they soon had to delete and pretend it was never said. But the archive already got them archived. So there is like millions of politicians or celebrities that would love to take back what they said (or did) in the past. And there are those uncomfortable events that took place but for reasons (better or worse) are better not reminded to public due to current events (that are also not really glorious).

    1. i mean, “the internet” is hacked, and has been for some time, in the sense that ISPs around the globe are beholden to various governments around the globe to make available all sorts of info including firehose of the traffic going through in some cases.

  3. well now I’m happy to not have done password reuse for my account there.

    And maybe, I’m hoping, this attack only had for goal of generating media coverage which would cause support for the Archive, considering they released directly everything: I too had the feeling described in the defacing message, that’s why I didn’t reuse any password there in the first place.

  4. Not really a big deal as my IA account was a throw away to borrow books. Not really sure who’s life would be ruined by this dump unless they reused their login combo (I gotta change the combination on my luggage!”) It is crappy someone decided to do this though. :(
    One disturbing trend I have noticed in the old ISOs is a few goobers putting dodgy links to get said old files and not having them hosted on IA. It is basically an old skool dragon chase for an unzippable virus that just sets up a Dosbox VM of some ilk and executes its load from there. The one I tested contained a ransomware kinda thing that would encrypt the drive but hilariously like oldskool the password was the filename smh. I could not decide if whoever did it was being malicious or having a bit of fun, but reported it anyway as they had done a massive shitpost dump over the uploaders I know andor trust. I don’t think the two things are related at all but I had not seen such obvious poisoning of a collection like that before. I always wonder what will happen when linux repos get the proverbial hot tub shat. Anyway good to know I need to change my login stuff.

  5. man the internet archive is so cool

    when libraries get old digital resources, they often stumble on the software. some 1990 collection of scanned maps, originally distributed on 20 floppy disks, with an MSDOS program that doesn’t work anymore under windows 2024. i’m not saying archive.org is perfect at it by any stretch but they put a lot of work into distributing dosbox in a browser window or whatever hack is needed to still use the older digital content.

    there’s definitely a huge need for a library taking on these tasks.

    1. Yessssss! I was blown away when I learned about the software side of IA!
      No one else is doing such work as this!
      It is a valiant cause, important to us now, and arguably much more so for the future!

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.