The founder of the Internet Archive, Brewster Kahle, confirmed the breach and stated that the site was compromised through a message via a JavaScript library.
Here’s what was said in the pop-up: “Have you ever felt that the Internet Archive is running on sticks and is constantly on the brink of a catastrophic security breach? That just happened. See 31 million of you on HIBP!”
HIBP stands for “Have I Been Pwned?”, a website where individuals can check if their information has been exposed in data breaches. HIBP operator Troy Hunt confirmed that nine days ago he received a file containing “email addresses, screen names, password change timestamps, Bcrypt hashed passwords, and other internal data” for 31 million unique email addresses, and verified its authenticity by matching the data with user accounts.
A tweet from HIBP mentioned that 54% of the accounts had already been in its database due to prior breaches. Hunt provided more detailed information about the timeline of events, starting from the inquiry to the IA regarding the breach and continuing through the disclosure process until the site was compromised and subjected to a DDoS attack, coinciding with their efforts to upload data to HIBP to begin notifying affected users.