Early Friday morning, reports began circulating that hackers had breached security on archive.org, the Internet Archive’s Wayback Machine. Roughly 31 million passwords were stolen. Additionally, both archive.org and openlibrary.org have fallen victim to a Distributed Denial of Service (DDoS) attack. At the time of writing, both sites are still down.
A report by Bleeping Computer first identified the DDoS attack and the security breach. The hacktivist group Black Meta is taking credit for the DDoS attack. However, it’s still uncertain if the theft and the attack are connected. Problems started on Wednesday afternoon, when a cryptic JavaScript message greeted users logging into archive.org. It read:
“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!”
HIBP refers to Have I Been Pwned, an online service enabling individuals to check for potential data leaks and receive notifications if their information has been compromised.
Troy Hunt, owner of HIBP, stated that the hacker responsible for the data breach shared a 6.4GB file with HIBP that contained vital details for Wayback Machine accounts. This data included screen names, BCrypt-hashed passwords, and email addresses. Timestamps on the file show the theft occurred on September 28th.
Should You Be Worried?
Yes, and no. The good news is that there is an extra layer of security in place for Bcrypt-hashed passwords. That encryption can help keep your information safe.
In a quote given to Forbes, Adam Brown, managing security consultant at Black Duck, states, “Using Bcrypt, if implemented correctly, will prevent the extraction of passwords. While hashes can be looked up if common passwords are used, if the hash is salted, as it is with Bcrypt, this largely prevents the use of hash look-up tables.” Black Duck is a prominent security firm focused on application security.
That said, regularly changing your passwords is an important safety measure, especially when a breach like this occurs. If you’re concerned about your data, then now is probably the perfect time for a refresh. And if you’re not already using passkeys, or a dedicated password manager, consider incorporating those as part of your online security regimen.
