The Internet Archive, a digital library with a vast collection of books, music, and movies, has suffered a significant data breach that exposed the personal information of 31 million users. The breach, which occurred in September, was confirmed by the organization on Wednesday after a JavaScript pop-up on the site warned users of the attack.
According to security researcher Troy Hunt, who runs the data-breach-notification website Have I Been Pwned (HIBP), the stolen data includes unique email addresses, usernames, bcrypt password hashes, and other system data. Bleeping Computer, which first reported the breach, verified the validity of the data.
The Internet Archive’s founder, Brewster Kahle, acknowledged the breach in a public update on social network X, stating that the organization had disabled a JavaScript library and was scrubbing systems to prevent further damage. He also mentioned that the site had been grappling with a wave of distributed denial-of-service (DDoS) attacks, which have intermittently brought down its services.
The DDoS attacks, which have been ongoing since late May, have been claimed by the hacktivist group BlackMeta, which has vowed to continue targeting the Internet Archive. However, the perpetrator of the data breach remains unknown.
The Internet Archive has faced numerous challenges in recent months, including a lawsuit brought by book publishers, which argued that its digital lending library violated copyright law. The organization has also faced an existential threat in the form of a copyright lawsuit from music labels, which could result in damages of up to $621 million.
Hunt revealed that he first received the stolen data on September 30, reviewed it on October 5, and warned the Internet Archive about it on October 6. He planned to load the data into HIBP and notify its subscribers about the breach on Wednesday, but the timing of the breach and the DDoS attacks appears to be coincidental.
While Hunt encouraged the Internet Archive to publicly disclose the data breach earlier, he acknowledged the organization’s challenges and expressed understanding for the delay. “They’re a nonprofit doing great work and providing a service that so many of us rely heavily on,” he said.
The Internet Archive has been vulnerable to DDoS attacks in the past, and its services have been intermittently unavailable. The organization has been working to upgrade its security measures and protect its users’ data. However, the recent breach and DDoS attacks have raised concerns about the site’s vulnerability and the importance of data protection.