Internet Archive hacked, data breach impacts 31 million users

Talk here about security in general. Posting illegals software is prohibited. All stuffs in this forum must be considered as for "Educational purpose only".
i3slkiller
Contributor
Contributor
Posts: 115
Joined: 03 Feb 2020, 18:51
Distribution: Porteus XFCE v5.0rc2 x86_64
Location: Poland

Internet Archive hacked, data breach impacts 31 million users

Post#1 by i3slkiller » 10 Oct 2024, 07:46

Although it does not apply to Porteus, but I think that this info may be crucial for someone.
https://www.bleepingcomputer.com/news/security/internet-archive-hacked-data-breach-impacts-31-million-users/ wrote: Internet Archive's "The Wayback Machine" has suffered a data breach after a threat actor compromised the website and stole a user authentication database containing 31 million unique records.

News of the breach began circulating Wednesday afternoon after visitors to archive.org began seeing a JavaScript alert created by the hacker, stating that the Internet Archive was breached.

"Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!," reads a JavaScript alert shown on the compromised archive.org site.

The text "HIBP" refers to is the Have I Been Pwned data breach notification service created by Troy Hunt, with whom threat actors commonly share stolen data to be added to the service.

Hunt told BleepingComputer that the threat actor shared the Internet Archive's authentication database nine days ago and it is a 6.4GB SQL file named "ia_users.sql." The database contains authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data.

The most recent timestamp on the stolen records was ta is September 28th, 2024, likely when the database was stolen.

Hunt says there are 31 million unique email addresses in the database, with many subscribed to the HIBP data breach notification service. The data will soon be added to HIBP, allowing users to enter their email and confirm if their data was exposed in this breach.

The data was confirmed to be real after Hunt contacted users listed in the databases, including cybersecurity researcher Scott Helme, who permitted BleepingComputer to share his exposed record.

9887370, internetarchive@scotthelme.co.uk,$2a$10$Bho2e2ptPnFRJyJKIn5BiehIDiEwhjfMZFVRM9fRCarKXkemA3PxuScottHelme,2020-06-25,2020-06-25,internetarchive@scotthelme.co.uk,2020-06-25 13:22:52.7608520,\N0\N\N@scotthelme\N\N\N

Helme confirmed that the bcrypt-hashed password in the data record matched the brcrypt-hashed password stored in his password manager. He also confirmed that the timestamp in the database record matched the date when he last changed the password in his password manager.

Hunt says he contacted the Internet Archive three days ago and began a disclosure process, stating that the data would be loaded into the service in 72 hours, but he has not heard back since.

It is not known how the threat actors breached the Internet Archive and if any other data was stolen.

Earlier today, the Internet Archive suffered a DDoS attack, which has now been claimed by the BlackMeta hacktivist group, who says they will be conducting additional attacks.

BleepingComputer contacted the Internet Archive with questions about the attack, but no response was immediately available.
Last edited by i3slkiller on 10 Oct 2024, 10:55, edited 1 time in total.

vinnie
Samurai
Samurai
Posts: 132
Joined: 13 Jun 2024, 08:25
Distribution: alpine

Internet Archive hacked, data breach impacts 31 million users

Post#2 by vinnie » 10 Oct 2024, 10:36

This is why I have always thought that one should not use the Internet for vital matters, however of this news I wonder one thing.
But shouldn't passwords be stored encrypted so that they are unreadable!??!

i3slkiller
Contributor
Contributor
Posts: 115
Joined: 03 Feb 2020, 18:51
Distribution: Porteus XFCE v5.0rc2 x86_64
Location: Poland

Internet Archive hacked, data breach impacts 31 million users

Post#3 by i3slkiller » 10 Oct 2024, 10:55

vinnie wrote:
10 Oct 2024, 10:36
But shouldn't passwords be stored encrypted so that they are unreadable!??!
According to that article, IA had hashed password by bcrypt, I added this quote to first post
The data was confirmed to be real after Hunt contacted users listed in the databases, including cybersecurity researcher Scott Helme, who permitted BleepingComputer to share his exposed record.

9887370, internetarchive@scotthelme.co.uk,$2a$10$Bho2e2ptPnFRJyJKIn5BiehIDiEwhjfMZFVRM9fRCarKXkemA3PxuScottHelme,2020-06-25,2020-06-25,internetarchive@scotthelme.co.uk,2020-06-25 13:22:52.7608520,\N0\N\N@scotthelme\N\N\N

Helme confirmed that the bcrypt-hashed password in the data record matched the brcrypt-hashed password stored in his password manager. He also confirmed that the timestamp in the database record matched the date when he last changed the password in his password manager.
EDIT: Now Internet Archive page is not loading at all

i3slkiller
Contributor
Contributor
Posts: 115
Joined: 03 Feb 2020, 18:51
Distribution: Porteus XFCE v5.0rc2 x86_64
Location: Poland

Internet Archive hacked, data breach impacts 31 million users

Post#4 by i3slkiller » 22 Oct 2024, 06:04

Now Internet Archive works, items can be viewed and downloaded, but logging in is currently not possible, although Wayback Machine is running since last week.
I found info that IA had their Gitlab auth tokens leak and breach to their Zendesk https://www.bleepingcomputer.com/news/s ... ss-tokens/
and that there is no snapshots from blog.twitter.com from 2019-2023 https://x.com/0rf/status/1847814884794253671 , check it yourself

EDIT: I also noticed scammy links on item reviews posted between ~7-10th October (which I reported), don't click them!
EDIT2: IA doesn't working again...
EDIT3: IA is working again, this time I didn't check if is possible to log in. These reviews are still here...

i3slkiller
Contributor
Contributor
Posts: 115
Joined: 03 Feb 2020, 18:51
Distribution: Porteus XFCE v5.0rc2 x86_64
Location: Poland

Internet Archive hacked, data breach impacts 31 million users

Post#5 by i3slkiller » 02 Nov 2024, 18:32

Now it's possible to login to Internet Archive, but cannot add and edit items. In "Account settings" it stucks on "Connecting to esm.archive.org..." and eventually they don't show up.
I see that reviews with scam links are still here, so if you don't want to see reviews at all (including legitimate ones), add this filter to uBlock* (better late than later):

Code: Select all

archive.org###reviews
If you still want to read reviews, this filter evaporates all links from reviews:

Code: Select all

archive.org###reviews .breaker-breaker a
this still shows the links, but makes them unclickable (or at least should)

Code: Select all

archive.org###reviews .breaker-breaker a:style(pointer-events: none;)
* and think that Google, wanting to get rid of uBlock in Chrome by phasing out manifest v2, justifies it by "taking care of security", meanwhile we still can hear about sponsored scam links in their search engine...

i3slkiller
Contributor
Contributor
Posts: 115
Joined: 03 Feb 2020, 18:51
Distribution: Porteus XFCE v5.0rc2 x86_64
Location: Poland

Internet Archive hacked, data breach impacts 31 million users

Post#6 by i3slkiller » 09 Nov 2024, 08:08

Now its possible to add new items to IA, editing existing items only using 'internetarchive' python tool.

Code: Select all

:/tmp/ab$ ia upload 1_20241109_20241109_0815 6
1_20241109_20241109_0815:
 uploading 6: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:01<00:00,  1.52s/MiB]
:/tmp/ab$ ia upload 1_20241109_20241109_0815 7
1_20241109_20241109_0815:
 uploading 7: 100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:01<00:00,  1.51s/MiB]
:/tmp/ab$ 

Post Reply