Internet Archive, the American nonprofit digital library and home of The Wayback Machine webpage archiving service, suffered a data breach late last month that has just come to light following a series of DDoS (Distributed Denial-of-Service) attacks that took the site down for several hours on Tuesday, 08 October, again the following Wednesday, and for a third time at the time of writing.
The breach exposed the email addresses, usernames, and bcrypt password hashes of roughly 31 million users.
Internet Archive under attack
Site founder Brewster Kahle confirmed the DDoS attack on X.com and later provided updates after the site’s homepage displayed a troubling message (pictured above).
Sorry, but DDOS folks are back and knocked https://t.co/Hk02WjumkL and https://t.co/Xb2ku5dgZs offline. @internetarchive is being cautious and prioritizing keeping data safe at the expense of service availability.
Will share more as we know it.
— Brewster Kahle (@brewster_kahle) October 10, 2024
The ‘HIBP’ referenced in the message refers to the data leak notification service ‘haveibeenpwned‘ which also posted news of the leak. We’d recommend checking your inbox for emails that look like the one below, and if you haven’t signed up yet, that’s probably a good idea.
I have been pwned, now what?
The first step is not to panic. Just because your data is out there doesn’t automatically mean the bad guys have access to your accounts. Your next step is to check haveibeenpwned.com to see if your email address is part of this breach (or any previous breach for that matter).
If you made the cut, it’s a good idea to change your password. Thankfully, the Internet Archive used the Bcrypt cryptographic hash function to store user passwords. It uses complicated cryptographic algorithms to transform a user’s password into a set string of characters – ‘Password123’ becomes $2y$10$lhPHA1g2mzejjeMkFVRhZOQHBrmQW9BKvZl7bCM.L10j5svOgRynS, for example. It also adds an extra bit of data, aptly named a ‘salt’, to make cracking the hash even more difficult.
Read More: Secure service Proton announces beta launch of its very own password manager
While this is a secure method (much better than storing your passwords in plain text in the Notes app on your phone), it’s always better to err on the side of caution and change your password anyway. Use a password manager and a randomly generated 32-character password for bonus points.
While you’re at it, you might as well enable multi-factor authentication on any accounts that support it, even if they only offer SMS-based 2FA. A weak second factor is still better than not having any but authenticator apps are the best option.