31 million records containing email addresses and password hashes exposed:
Archive.org, possibly one of the only entities to preserve the entire history of the Internet, was recently compromised in a hack that revealed data of roughly 31 million users.
A little after 2 PM California time, social media blew up with screenshots showing what the archive.org homepage displayed.
It read:
archive.org
Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!
HIBP is short for Have I been Pwned, the authoritative site for breach notifications that help people protect their accounts after they've been compromised.
The message didn't last long. Soon after it appeared, archive.org, when it loaded at all, displayed a message saying the site was temporarily down. Later, the site returned. Archive.org's Brewster Kahle said on on a social media site that the archive had come under a DDoS attack.
Now, Have I Been Pwnd is reporting that archive.org was hacked. HIBP said the compromise occurred last month and exposed 31 million records containing email addresses, screen names, and bcrypt-hashed passwords.
See also: Internet Archive Breach Exposes 31 Million Users
Related Stories
Arthur T Knackerbracket has processed the following story:
The Internet Archive is back online in a read-only state after a cyberattack brought down the digital library and Wayback Machine last week. A data breach and DDoS attack kicked the site offline on October 9th, with a user authentication database containing 31 million unique records also stolen in recent weeks.
The Internet Archive is now back online in a “provisional, read-only manner,” according to founder Brewster Kahle. “Safe to resume but might need further maintenance, in which case it will be suspended again.”
While you can access the Wayback Machine to search 916 billion web pages that have been archived over time, you can’t currently capture an existing web page into the archive. Kahle and team have gradually been restoring Archive.org services in recent days, including bringing back the team’s email accounts and its crawlers for National Libraries. Services have been offline so that Internet Archive staff can examine and strengthen them against future attacks.
[...] The Internet Archive outage came just weeks after Google started adding links to archived websites in the Wayback Machine. Google removed its own cached pages links earlier this year, so having the Wayback Machine linked in Google search results is a useful way to access older versions of websites or archived pages.
Previously: Archive.org, a Repository Storing the Entire History of the Internet, Has a Data Breach
(Score: 1, Insightful) by Anonymous Coward on Sunday October 13, @11:23PM (12 children)
Does anyone else see a problem with an internet billionare having control of the IA?
(Score: 0) by Anonymous Coward on Monday October 14, @02:33AM (5 children)
Not particularly. It's no more a single point of failure than an archive site set up by a nonprofit organization would be. We should all be backing up and sharing the data want to keep for posterity, whether by centrally administrated archives, files on some dude's harddrive, torrents, etc.
(Score: 2) by https on Monday October 14, @01:22PM (4 children)
Notice how you just let slide the framing that it's controlled by a billionaire?
Offended and laughing about it.
(Score: 1, Touché) by Anonymous Coward on Monday October 14, @05:28PM (2 children)
Because it's inconsequential. Without that billionaire, the IA wouldn't even exist in the first place, so what is the relevance of bringing up the wealth of the owner?
(Score: 0) by Anonymous Coward on Monday October 14, @05:34PM (1 child)
"so what is the relevance of bringing up the wealth of the owner?"
Paul Allen and what happened to the Living Computer Museum
But trusting a San Fransisco tech bro and his data hoard isn't anything to worry about, right?
(Score: 0) by Anonymous Coward on Monday October 14, @10:00PM
Who said anything about trust? His data hoard is my convenience. Anything I need to dependably archive I keep in my own data hoard.
(Score: 2) by HiThere on Monday October 14, @05:37PM
I don't think that billionaires average any worse than other people. It's just that when they're abusive, we're much more likely to hear about it. However once you grant the "single point of failure", you've already addressed that factor. The real problem is the "single point of failure", and that needs a redesign.
(This isn't totally true, as market forces tend to create and foster "single point of failure" dynamics when one entity is strongly dominant. An example is all the devices that will only run on Microsoft software (or Apple hardware/software).)
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 5, Touché) by Rosco P. Coltrane on Monday October 14, @03:14AM (1 child)
I see a problem with the entire internet being controlled by billionaires.
(Score: 5, Insightful) by mhajicek on Monday October 14, @09:21AM
I see a problem with the entire world being controlled by billionaires.
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 3, Insightful) by darkfeline on Monday October 14, @07:09AM (2 children)
No? They're free to use their resources how they wish, whether that be on yachts, hookers and blow, or a public data archival project.
Join the SDF Public Access UNIX System today!
(Score: 4, Touché) by pTamok on Monday October 14, @10:01AM (1 child)
How about influencing the political process to obtain advantages for billionaires not available to non-billionaires? Should they be free to do that?
(Score: 0) by Anonymous Coward on Monday October 14, @07:06PM
Yes, they should... I would just recommend that we don't reelect their handmaidens if the goal is to minimize their influence. All the power they have is given to them by us, and it's about to happen again in about three weeks.
(Score: 2) by EJ on Monday October 14, @12:33PM
No one is stopping you from making your own.
(Score: 3, Insightful) by Anonymous Coward on Monday October 14, @01:41AM (10 children)
Never ever use real personal data on the internet. Yeah, it would screw up access to government services, but find me one site that hasn't been breached, I dare ya... And how do you know if Have I Been Pwnd hasn't been pwnd, or isn't a honeypot? Are we just supposed to trust them? If you put your name and email in there, it can attract unwanted attention, and with all the secret laws, NSLs, and gag orders, nobody knows if it is sent directly to the feds. Just conspiracy theories, right?
The internet is totally untrustworthy, use it at your own risk. But you can help improve things by keeping your private information private, use throwaway email accounts and fake names. In a world of criminals, you have to blend in.
(Score: 4, Touché) by Reziac on Monday October 14, @02:20AM (7 children)
I admit to having the same reservation about Have I Been Pwnd.... has it been pwnd? How would I know??
And there is no Alkibiades to come back and save us from ourselves.
(Score: 5, Insightful) by Rosco P. Coltrane on Monday October 14, @02:48AM (6 children)
Exactly this.
When HIBP came about, the first thing I thought was "If I wanted to create the perfect honeypot, I'd make a website asking people their creds to check if they've been hacked."
I'll never, EVER use this HIBP. It's sketchy AF. I don't understand how anybody trusts them.
(Score: 1, Funny) by Anonymous Coward on Monday October 14, @04:04AM (1 child)
:-) A quick study of the average Trump supporter will fill in the missing pieces. The old traveling medicine shows did pretty good business also. Manhattan was sold for 60 guilders.
Plus ça change, plus c'est la même chose
(Score: 3, Touché) by HiThere on Monday October 14, @05:40PM
But Manhattan was sold by folks who neither owned it nor (if what I've read is correct) lived there. They were just traveling through.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 3, Informative) by pTamok on Monday October 14, @10:15AM (2 children)
AFAIK, the k-anonymity process keeps your information private:
https://www.troyhunt.com/understanding-have-i-been-pwneds-use-of-sha-1-and-k-anonymity/ [troyhunt.com]
I played around with it a bit when HIBP was first launched. These days, for bulk queries, you need an API key.
(Score: 2) by Reziac on Tuesday October 15, @12:20AM (1 child)
My brain hurts. In small words, what did he say?
And there is no Alkibiades to come back and save us from ourselves.
(Score: 5, Informative) by pTamok on Tuesday October 15, @08:29AM
k-anonymity
You hash your password (that you want to check) locally on your PC. The SHA-1 hash gives you 40 hexadecimal characters of hash.
You send the first five (only) hexadecimal digits to HIBP.
HIBP sends back all the password hashes it has where the first 5 digits are the same as the one you sent.
You check (on your PC, locally) the list of hashes sent back, and if the original hash you calculated is in that list somewhere, you know your password is in HIBP's collection. Congratulations! You have been pwned!
HIBP does not know if your password was found, it just has a list of password hashes that might include your password.
The initial hashing and subsequent checking of the returned list can be done locally on your machine using javascript, if you trust the script sent to you on the web-page. Or you can use the API, so you have full control of what is sent and see what is returned.
If you want to be anonymous, open the HIBP web-page through TOR, or a couple of VPNs.
You can do all this manually.
To check if the password "soylent" is in the HIBP database.
Do a sha-1 hash of "soylent"
$echo -n soylent | sha1sum
45954e77345293a709b7c2edb63f4e70a98c731f -
The first 5 hexadecimal digits are 45954
Look it up
https://api.pwnedpasswords.com/range/45954 [pwnedpasswords.com]
and you get a chunk of hashes back which all start with 45954. The first 5 digits are not repeated on each line as there's no point. If you search for the final 35 digits of your has you get
.
..
...
E68DE6B94829321D4509CE563F0FE0A7BD6:3
E70CF7F05E1EA3553F1481B983ECFD2B510:1
E77345293A709B7C2EDB63F4E70A98C731F:738
E7A393A597575F19FDBAB0347090FBA96E3:1
E7A4D05D9BDD2BEE0FECFFC42C134A12D74:45
...
..
.
...and you see that the password "soylent" appears 738 times in HIBP's database (at the time of my query).
Only you know which of the hashes in the chunk was relevant to you.
(Score: 1) by dilbert on Tuesday October 15, @04:58AM
(Score: 2) by mcgrew on Monday October 14, @04:23PM (1 child)
Hard to stay off the internet if you need an ISBN. Or these days, a lot of everything. When my EV got totaled the damned insurance company wanted me to use their phone app! Now, no way will I enter my personal info in to a PHONE. I'll let you use my phone, I WON'T let you use my wallet. It was actually hard to do over the phone by voice with a human, but I'm not putting an insurance app on my phone, let alone a McDonald's app!
A Russian operative has infiltrated the highest level of our government. Where's Joe McCarthy when we need him?
(Score: 0) by Anonymous Coward on Monday October 14, @08:00PM
Really? It can't be done on paper anymore?
(Score: 5, Funny) by KritonK on Monday October 14, @04:53AM
They should upload these data on archive.org, so that they become easily available.
(Score: 3, Interesting) by ShovelOperator1 on Monday October 14, @09:13AM (4 children)
Wasn't there an active DDoS going on the IA a few hours ago? WM works poorly, and the rest seems to be off grid.
There is, as previous Commenters noticed, unfortunately, a single point of failure. Single service, on a single set of servers which cannot be easily relocated, replicated or moved, located in a politically imperialist country who likes to start wars with everyone else, this is some problem. However - the one-side censorship, always in favor of one side of the conflict, is unfortunately a bigger problem - a clear manifestation of a specific engagement. This is the worst thing any archive may do - picking sides. Museums are not fortresses! They don't have comfort of mobilizing soldiers and bringing defenses.
The idea is: How the problem can be solved?
There are petabytes of data. Assume 50PB, but I probably underestimate. If a single user would seed the 1GB torrent, this would take a bit more than 52 millions of seeders, which is not imaginable even with the most popular torrents in the history. With modern "circulating data" protocols, I guess that it can hold maybe 10PB as maximum.
Network in the network involving libraries?
That would require the equality before the law, and this is impossible in any imperialist countries - in the west, the privileged caste are corporations, in the east - the oligarchs.
Although blowing up the "intellectual property" to the pieces using an AI company precedent and the equality before the law would look fun :-).
(Score: 5, Informative) by Unixnut on Monday October 14, @11:19AM
Archive.org provides torrents for every entry they have, allowing you to partake in distributed storage and sharing of their data. I myself had been doing so with any entries I made use of, so you can assist right now in preserving the data if you wish.
(Score: 2) by mcgrew on Monday October 14, @04:29PM (2 children)
There is, as previous Commenters noticed, unfortunately, a single point of failure. Single service, on a single set of servers which cannot be easily relocated, replicated or moved, located in a politically imperialist country who likes to start wars with everyone else, this is some problem
Is that accurate? Did you research it, or is it a halfassed guess? For instance, my sites are hosted by R4L in Canada, I'm in the US. Canada has never been an imperialist country, but the US has territories.
However - the one-side censorship, always in favor of one side of the conflict, is unfortunately a bigger problem - a clear manifestation of a specific engagement.
More than a citation is required, proof is NEEDED. Prove it or you're no better than Donald Trump or George Santos. Who's been censored? Where did you hear this, social media?
A Russian operative has infiltrated the highest level of our government. Where's Joe McCarthy when we need him?
(Score: 2) by ShovelOperator1 on Monday October 14, @06:17PM
Rather a guess based on trying to obtain, and load, various items thru different channels, including Torrent.
However, a small disclaimer - I never checked where these files went from/to, however, I don't need to verify it to see that it unfortunately is subjected to U.S. jurisdiction.
About the censorship, picking sides does not limit to conflicts inside a single country, this isn't even a problem here!. Recently, they deleted access to their, call it gently, "digital library" as illegal, and simultaneously refused deleting content totally illegal in many other countries (like in the Middle East), while still serving their services to citizens of these countries. This is sufficient to be considered as picking sides by the country that filed a compliant. And it would be sufficient for all of these hacktivist to pass as many packets to the site as needed to crash the servers.
I'm not trying to propose any solution for this particular problem. A decade ago I would try to write something out about education of how the Internet works and what limits are not here contrary to the paper/film/disc-based media, but now it looks like the education goes the other way - how to limit the Internet. In current conditions, in which writing about subject is notoriously confused with identifying with the subject, any solution, even suited for the most developed countries, will look like trying to teach diplomacy to two thugs with clubs.
(Score: 1, Touché) by Anonymous Coward on Monday October 14, @07:16PM
That's right. As part of the commonwealth, they are still a colony. Their "independence" is purely ceremonial.
(Score: 3, Insightful) by SomeGuy on Monday October 14, @02:34PM (1 child)
The Internet Archive provides a very valuable service. Now that it is completely down, looking up certain historic material is harder or impossible.
This is a reminder that archives should be available from as many alternate sources as possible.
(Score: 0) by Anonymous Coward on Monday October 14, @04:37PM
I will never forgive or forget that when I asked the IA for help when designing a digital repository that
Brewster told me not to bother and just put all of our internal assets on the IA
It's past time he get off his high horse and officially distribute IA across other institutions.
LOCCS is a working example of this, but who do you trust and who would even take on the burden of
having a target painted on their backs by people who don't want this information preserved?
(Score: 2) by mcgrew on Monday October 14, @04:14PM (1 child)
Archive.org, possibly one of the only entities to preserve the entire history of the Internet
They take "snapshots" once or thrice a month. There is more of thefragfest.org on my storage devices than at Archive, and an awful lot of THAT data are gone, too.
Likewise front page articles I wrote at K5 when it was still hot, and journals, all gone forever; at least, I can't find them.
E.G., a parody of "Keep On Rockin' Me" I wrote during the second Gulf war, "Keep Iraqin' Me" is something I've been looking for since not long after it was posted.
The Archive also doesn't track changes of owners. Thefragfest was a Quake site. It became a porn site a few years after I let it lapse, I don't know who did it, but the porn version has snapshots at Archive.
A Russian operative has infiltrated the highest level of our government. Where's Joe McCarthy when we need him?
(Score: 0) by Anonymous Coward on Tuesday October 15, @07:17PM
> all gone forever; at least, I can't find them.
I don't think you are doing this right. When you see a page you might like to see in the future, NOW is the time to send the URL to the Wayback Machine for archiving.
I've done this successfully for many years. For example, my tiny company has a website with a news page. When I post a new item, all the links also have a "permanent" archive.org link as backup. For anything I really care about, I also have a local backup, but don't waste hosting space with it unless I really can't find a copy to link to.