{
	"id": "1c008aef-c482-446f-b35b-8a1842de3752",
	"created_at": "2026-04-06T00:21:10.066063Z",
	"updated_at": "2026-04-10T13:11:46.546181Z",
	"deleted_at": null,
	"sha1_hash": "6e7a786cd78f37933485ba2317a8da5e62e3ecf9",
	"title": "Internet Archive is Attacked and 31 Million Files Stolen",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41706,
	"plain_text": "Internet Archive is Attacked and 31 Million Files Stolen\r\nBy Jeffrey Burt\r\nPublished: 2024-10-10 · Archived: 2026-04-02 12:07:37 UTC\r\nThe Internet Archive, the non-profit digital library to offer free access to a broad array of digitized materials like\r\nwebsites, books, and software applications, was attacked late last month in a data breach that exposed 31 million\r\nfiles that includes such information as email addresses and screen names.\r\nVisitors to the Internet Archive website at one point this week were greeted with a message reading “Have you\r\never felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security\r\nbreach? It just happened. See 31 million of you on HIBP!”\r\nHIBP refers to “Have I Been Pwned,” a breach notification site people can use to see if their data has been leaked\r\nbecause of a cyberattack. Both Brewster Kahle, who founded the Internet Archive, and Troy Hunt, who operates\r\nHIBP, confirmed the data breach\r\nIn a posting on X (formerly Twitter), Kahle wrote October 9 that his organization fought off a distributed denial-of-service (DDoS) attack that led to the defacement of the website. He also confirmed the breach of usernames,\r\nemail addresses, and salted-encrypted password. In response to the attack, the Internet Archive disabled the\r\nJavaScript library, scrubbed systems, and upgraded its security, though no details were discussed.\r\nIn posts today, Kahle wrote that the Internet Archive site was again between hit with a DDoS attack and the site\r\nwas knocked offline, adding that he was “being cautious and prioritizing keeping data safe at the expense of\r\nservice availability.”\r\nAccording to a BleepingComputer report, the 6.4GB SQL file was stolen from a user authentication database and\r\nthe most recent timestamp among the stolen data was September 28.\r\nHIBP was Sent Data Last Week\r\nAlso on X, Hunt said someone had sent him the information from the breach on September 30, but because he was\r\naway, he didn’t look into it until October 5 and contacted the Internet Archive the next day. Hunt began loading\r\nthe data onto HIBP on October 9, the same day that the Internet Archive was his with the DDoS attack and its site\r\nwas defaced.\r\nAn X posting on the HIBP site said that 54% of the accounts from the Internet Archive breach had already been in\r\nthe database from previous attacks.\r\n“The timing on the last point seems to be entirely coincidental,” Hunt wrote, adding that “it may also be multiple\r\nparties involved and when we’re talking breach + defacement + DDoS, it’s clearly not just one attack.”\r\nPro-Palestinian Threat Group Claims Credit\r\nhttps://securityboulevard.com/?p=2033037\r\nPage 1 of 2\n\nThe threat group SN_Blackmeta is taking credit for the attack, posting on X that they did so because the Internet\r\nArchive “belongs to the USA” and that the U.S. government supports Israel in the fighting in the Middle East.\r\nHowever, as noted by many responding to the group’s accusation, the Internet Archive is a nonprofit that is not\r\nowned by the United States.\r\nAccording to cybersecurity company Radware, SN-Blackmeta rose up in the wake of Hamas’ October 7, 2023,\r\nattack on Israel and that country’s military response. In a report in July about a sustained six-day DDoS attack by\r\nthe SN_Blackmeta on a financial institution in the Middle East, Radware researchers wrote that the threat group\r\nsurfaced via a Telegram channel November 14, 2023.\r\n“The initial content on this channel set the tone for its future endeavors, featuring updates on cyberattacks\r\ntargeting Israeli and Palestinian infrastructure, primarily through distributed denial of service (DDoS) attacks,” the\r\nresearchers wrote. “These early posts laid a strong foundation for the group’s operations and clearly indicated their\r\nideological stance.”\r\nAn Active Threat Group\r\nSN_Blackmeta’s introduction on Telegram was followed by a surge of DDoS attacks that stretched into this year,\r\nwith the victims including websites in Israel, Canada, and Saudi Arabia, as well as the International Airport of\r\nAzrael and the Saudi Ministry of Defense in January.\r\nIn March, the targets ranged from French infrastructure as Israel’s Smart Shooter company, Israeli telecom\r\ncompanies, and the Tel Aviv Stock Exchange. April saw no decline in their fervor; instead, they focused on UAE’s\r\ndigital infrastructure, Israeli scientific and technological websites, and a range of Western entities. In May and\r\nJune, the group launched campaigns against tech giants Microsoft, Yahoo, and Orange, and UAE infrastructure.\r\nIn addition, Radware researchers said the Internet Archive also was a target during those months.\r\nIn March, a user on X calling themselves Sn-darkmeta said they were the leader of SN_Blackmeta, reposting\r\nimages and summaries of attacks that has been publicized don the Telegram channel and “crafting a persona that\r\nbolstered the group’s visibility and ideological messaging,” they wrote.\r\nRecent Articles By Author\r\nSource: https://securityboulevard.com/?p=2033037\r\nhttps://securityboulevard.com/?p=2033037\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securityboulevard.com/?p=2033037"
	],
	"report_names": [
		"?p=2033037"
	],
	"threat_actors": [
		{
			"id": "d93f6788-b81a-4307-9ad1-b7944ea75250",
			"created_at": "2024-11-03T02:00:03.651869Z",
			"updated_at": "2026-04-10T02:00:03.743143Z",
			"deleted_at": null,
			"main_name": "Blackmeta",
			"aliases": [
				"SN Blackmeta"
			],
			"source_name": "MISPGALAXY:Blackmeta",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434870,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6e7a786cd78f37933485ba2317a8da5e62e3ecf9.pdf",
		"text": "https://archive.orkl.eu/6e7a786cd78f37933485ba2317a8da5e62e3ecf9.txt",
		"img": "https://archive.orkl.eu/6e7a786cd78f37933485ba2317a8da5e62e3ecf9.jpg"
	}
}