Data leak, dDoS and defacement: cyber attacks on the Internet Archive

The Internet Archive has set itself the task of preserving ephemeral data for posterity: Websites, books, but also historical software, apps and films. The non-profit organization, which is governed by US law, has amassed a huge treasure trove of data. It has now become known that parts of this treasure, namely the access data of archive users, have fallen into unauthorized hands. In addition, the Internet Archive has suffered from a dDoS and a defacement attack in recent days.

Back in September of this year, attackers gained access to the archive's internal systems and copied the member database. In addition to user names and e-mail addresses, the cybercriminals also captured the passwords of the archive.org accounts, which had been hashed using "bcrypt". Although most of the contents of the Internet archive can also be accessed without an account, an account is required for the virtual lending of media, such as e-books or films, and for other functions.

On September 30, the user database was leaked to Troy Hunt, the operator of the "Have I been pwned" (HIBP) service, who was traveling and only informed the Internet Archive about it almost a week later. He entered the data into his database of "pwned" user accounts with the aim of informing his subscribers within 72 hours.

This happened on Thursday night. HIBP informed those affected by email about the data theft. Although the access passwords are hashed using the "bcrypt" method, which is relatively secure against cracking and brute force attacks, users of the Internet Archive should change their passwords as a precaution.

Change your password! But how?

That would have been easier said than done, at least yesterday (Wednesday), as the Internet Archive suffered a dDoS attack that locked out many users. The monitoring service Downdetector reported severe disruptions between 18:30 and 02:00 CEST, and the archive itself also confirmed attacks on Tuesday and Wednesday. The outage is particularly annoying as it was only a few weeks ago that Google announced the archive's "Wayback Machine" as a replacement for the cache function that was abolished in February.

And as if all this trouble wasn't enough, a strange pop-up awaited users who made it past the flood of data to the archive.org homepage. A text box, apparently smuggled in using JavaScript, asked whether users didn't have the feeling that the Internet Archive was constantly on the verge of a catastrophic security incident. At the time, however, only Troy Hunt and the operators of the Internet Archive could answer this strangely prophetic question in the affirmative, as the data loss had not yet been made public.

The cause of the defacement was apparently a supply chain attack: as Brewster Kahle from the Internet Archive operating team confirmed, attackers had hijacked an externally integrated version of the "Polyfill" library and added some additional, but fortunately benign, JavaScript code.

Perpetrators unclear

Presumably, all three attacks are not directly related. In a list of the events, Troy Hunt speculates that they just happened to take place at the same time. It is currently unclear who defaced the Internet Archive's website and what the motivation was for taking down the non-profit service's user database. The dDoS attack, on the other hand, is being claimed by a group that describes itself as a fighter against the "global Zionist regime" on its Telegram channel.

(cku)