DDoS attacks on Internet Archive continue after data breach impacting 31 million

The Internet Archive said its site is still being knocked offline by hackers who allegedly stole data on 31 million users of the platform.

The nonprofit digital library, which runs the WayBack Machine of archived web pages, went offline on Wednesday after a distributed denial of service (DDoS) attack. 

Brewster Kahle, founder of the Internet Archive, said that after it fended off the disruptive junk web traffic from the DDoS attack, the website was defaced. Hackers also stole the usernames, emails and encrypted passwords of all registered users. 

The Internet Archive disabled the source of the breach, scrubbed systems and upgraded security, according to Kahle. But on Thursday morning the DDoS attacks had returned and knocked both the Internet Archive site and OpenLibrary platform offline, he said. 

“Internet Archive is being cautious and prioritizing keeping data safe at the expense of service availability. Will share more as we know it,” Kahle said. 

The attack was later claimed by a group of hackers going by the name SN_BLACKMETA. Researchers have noted that while most of its posts are written in Russian and the working hours align with Moscow time, the group has explicitly targeted institutions across the Middle East with powerful DDoS attacks. 

The group’s X and Telegram posts — which say they are located in Staraya, Russa — repeatedly declare they are launching the attacks at perceived opponents to Palestine. 

Screenshot of the Internet Archive's offline message early Thursday afternoon, Eastern U.S. time.

The hackers claimed they targeted the Internet Archive “because the archive belongs to the USA, and as we all know, this horrendous and hypocritical government supports the genocide that is being carried out by the terrorist state of ‘Israel.’”

The incident took a turn on Wednesday evening when privacy expert Troy Hunt said he had been contacted by hackers who claimed they stole user information from Internet Archive.

Hunt, who runs the HaveIBeenPwnd service, provided more details on where the stolen information may have come from and said the hackers reached out to him on September 30 but he was only able to go through the files on October 5. The next day he contacted Internet Archive and told them he planned to add the stolen information to his platform within 72 hours. 

HaveIBeenPwned (HIBP) lets users know whether their login information for a service or website has been leaked. Hunt said he contacted Internet Archive again on October 8 to let them know he planned to put the information into his platform on October 9.

“They get defaced and DDoS'd, right as the data is loading into HIBP,” Hunt said. “The timing on the last point seems to be entirely coincidental. It may also be multiple parties involved and when we're talking breach + defacement + DDoS, it's clearly not just one attack.”

Hunt added that everyone should change their password on the site once the Internet Archive is back up and running. 

“Obviously I would have liked to see that disclosure much earlier, but understanding how under attack they are I think everyone should cut them some slack. They're a non-profit doing great work and providing a service that so many of us rely heavily on,” he said. 

BleepingComputer confirmed that some of the emails in the leaked data are legitimate. 

SN_BLACKMETA launched a powerful DDoS attack on a financial institution in the Middle East this year, and its Telegram feed is full of messages criticizing the government of the United Arab Emirates (UAE) for its perceived support of Israel and for its alleged involvement in the current Sudanese civil war.

In addition to the UAE, the group has attacked the International Airport of Azrael and the Saudi Ministry of Defense.

Infrastructure organizations in Canada and France as well as telecoms in Israel and the Tel Aviv Stock Exchange were also attacked as the group continued its campaign through March. In May and June 2024, they expanded to target tech giants like Microsoft, Yahoo and Orange.