Anatomy of a Breach

Anatomy of a Breach: Internet Archive — 31 Million Accounts Breached at the Library of the Internet

> series: anatomy_of_a_breach —— part: 190 —— target: internet_archive —— accounts: 31,000,000 —— mission: preserving_human_knowledge<span class="cursor-blink">_</span>_

Hedgehog Security 31 October 2024 12 min read
internet-archive wayback-machine 31-million nonprofit ddos digital-preservation series
Breach #190

31 million accounts. The library of the internet. No organisation is safe.

In October 2024, the Internet Archive — the nonprofit organisation that operates the Wayback Machine, preserving over 866 billion web pages and serving as one of humanity's most important digital libraries — was breached. Approximately 31 million user accounts were compromised, with a database containing usernames, email addresses, and bcrypt-hashed passwords stolen. The breach was accompanied by a JavaScript-based website defacement that displayed a pop-up message to visitors, and concurrent DDoS attacks that kept the site offline for extended periods.

The Internet Archive — founded in 1996 by Brewster Kahle — operates as a nonprofit with a mission to provide 'universal access to all knowledge.' The Wayback Machine is used by researchers, journalists, legal professionals, and the general public to access historical web content. The breach of a nonprofit dedicated to preserving human knowledge — with limited resources for cybersecurity — highlighted the vulnerability of mission-driven organisations that hold significant data but lack the security budgets of commercial enterprises. The stolen data was confirmed on Have I Been Pwned.

Nonprofits Under Attack
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Mission-driven. Resource-constrained. Still a target.

Cultural Heritage Organisation
The Internet Archive preserves human knowledge — a mission of immense cultural importance. Like the <a href="/blog/anatomy-of-a-breach-red-cross-icrc">Red Cross/ICRC</a> (2022), the attack demonstrated that mission-driven organisations are not exempt from cyber targeting. For UK charities, cultural institutions, and nonprofits, <a href="/cyber-essentials">Cyber Essentials</a> provides affordable baseline security proportionate to their resources.
bcrypt Saved the Passwords
The Internet Archive had implemented bcrypt for password hashing — a strong choice that protects credentials even when the database is stolen. Users with strong, unique passwords were protected. This is a security success within the breach — proper password hashing matters. Our <a href="/penetration-testing/web-application">application testing</a> verifies password storage implementation.
Breach + DDoS + Defacement — Simultaneously
The Internet Archive faced a data breach, DDoS attacks, and website defacement concurrently — a multi-vector assault that overwhelmed the organisation's limited security resources. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides unified monitoring across multiple threat vectors — detecting and triaging concurrent attacks.
Limited Resources, Significant Data
Nonprofits often hold significant data (31 million accounts) but have limited cybersecurity budgets. <a href="/cyber-essentials">Cyber Essentials</a> is specifically designed to be achievable and affordable for organisations of all sizes — providing proportionate security without enterprise-level expenditure. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides incident response for organisations of all sizes.
Lessons

Every organisation that holds data is a target. Regardless of mission or budget.

The Internet Archive breach proved that every organisation — regardless of its mission, its cultural importance, or its nonprofit status — is a cyber target if it holds user data. For UK charities, cultural organisations, and nonprofits, Cyber Essentials provides achievable, affordable baseline security. Penetration testing validates controls. SOC in a Box provides monitoring at accessible price points. And UK Cyber Defence provides incident response when mission-driven organisations are attacked.

Nonprofit Security

The Internet Archive — preserving human knowledge — was breached. No mission exempts you. No budget excuses you.

<a href="/cyber-essentials">Cyber Essentials</a> is achievable for every organisation. <a href="/penetration-testing">Penetration testing</a> validates controls. <a href="https://www.socinabox.co.uk">SOC in a Box</a> is accessible.

Commission a Security Assessment Next: Blue Yonder
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 November 2019

Anatomy of a Breach: UK Labour Party — DDoS Attacks During a General Election Campaign

Breach #131. In November 2019, the UK Labour Party was hit by two DDoS attacks during the general election campaign — one large-scale and one smaller — targeting its digital platforms including the party's website and online campaign tools. The attacks, which were mitigated by Cloudflare, briefly disrupted Labour's online operations during one of the most contested election campaigns in recent British history. While no data was stolen, the attacks demonstrated that UK democratic processes are vulnerable to the same cyber disruption that had affected the US (DNC hack, 2016) and other democracies.

ddos labour-party
12 min read
Anatomy of a Breach 31 October 2016

Anatomy of a Breach: Dyn and the Mirai Botnet — When IoT Devices Took Down Half the Internet

Breach #094. On 21 October 2016, the Mirai botnet — a network of approximately 100,000 compromised IoT devices including IP cameras, DVRs, and home routers — launched a massive DDoS attack against Dyn, a major DNS provider. The attack disrupted DNS resolution for hundreds of major websites including Twitter, Netflix, Reddit, Spotify, GitHub, PayPal, and the BBC. The internet experienced its most widespread outage in years — and the weapon was an army of insecure webcams and baby monitors with default passwords.

ddos mirai
14 min read
Anatomy of a Breach 30 April 2015

Anatomy of a Breach: GitHub and China's Great Cannon — When a Nation Weaponised Its Own Internet Users

Breach #076. In March 2015, GitHub was hit by a massive, sustained DDoS attack lasting five days. The attack specifically targeted two GitHub repositories hosting anti-censorship tools used by Chinese citizens. Researchers at Citizen Lab identified the source: a previously unknown offensive capability they dubbed the 'Great Cannon' — a tool built alongside China's Great Firewall that intercepted web traffic from millions of Chinese internet users and weaponised it, redirecting their browsers to flood GitHub with requests. China had turned its own citizens into an unwitting DDoS botnet.

ddos github
12 min read
All Posts Get in Touch