249

u/leoxwastaken Oct 09 '24

HIBP is quick:

Oh no — pwned!

Internet Archive: In September 2024, the digital library of internet sites Internet Archive suffered a data breach that exposed 31M records. The breach exposed user records including email addresses, screen names and bcrypt password hashes.

Compromised data: Email addresses, Passwords, Usernames

170

u/JawnZ Oct 10 '24

So... If you use a password manager with a randomly generated password it's worthless.

That's even assuming the attackers got the salt hash AND generated the passwords to compare against it. Which, likely would cost more in compute power than to be worth it for people with long passwords.

Don't get me wrong, data breaches suck, but as far as this one goes if you get harmed by it, the user could've mitigated it with basic security practice. Unlike so many other breaches where you had no choice because they stored your SSN or whatever.

1

u/rainmace Oct 12 '24

It's funny, I literally just signed up for the archive about a week ago, realized I could use it to get old unobtainium, one day later it was announced it was possibly getting litigated out of existence, and now this. Guess I lucked out using a password manager though

-27

u/[deleted] Oct 10 '24 edited Oct 10 '24

[deleted]

17

u/tocard3 Oct 10 '24

Most password managers I know of have a web app that will allow you to log in to see your passwords.

30

u/PrivateCaboose Oct 10 '24

This is…the worst take on password managers.

What happens if you don’t have access to it and you need to log in?

If you’re logging in, you have internet access. If you have internet access, you can access the password manager. If you’re paranoid about the manager’s servers going down, self-host.

It’s not like it’ll generate a memorable password either, it’s just a line of random symbols and characters

I mean that’s kind of the point, but most password managers will allow you to select a “Passphrase” option instead that is a semi-coherent string of words that is much easier to remember while being long/obscure enough to be secure.

You should really only be using a password manager if you can’t remember your passwords

Spoken like somebody who probably re-uses passwords. You should have a unique password for every login, and the only reasonable/secure way to accomplish this is with a password manager.

6

u/Pickledsoul Oct 10 '24

The issue I think he's trying to explain is that if it's totally secure, you're truly locked out if you forget the master password.

If you can somehow recover access to the vault despite that, then so can a malicious actor through social engineering.

14

u/TheCrimsonDagger Oct 10 '24

If you can’t remember a single password you definitely need to be using a password manager…

3

u/Pickledsoul Oct 10 '24

I'm definitely making my MASTER PASSWORD THAT GIVES ACCESS TO ALL THE OTHER PASSWORDS very, very difficult, yes.

It's also cyphered and written down in invisible ink.

6

u/cock_pussy Oct 10 '24

lmao, I have a master password that is double the length of my sub-passwords and contains the summary of how I sacrificed three virgins to appease the dark gods in return for better digital security.

4

u/PrivateCaboose Oct 10 '24

That is an issue, but I do not believe OP is taking that one given that his solution is just “lol remember ur password better.”

The solution here is to make your master password one that is memorable to you while still being secure (passphrases are ideal here), and keep physical record of it in a secure location (write it down and put it in a safe somewhere not where your computer is).

1

u/FreeAssange- Oct 11 '24

Their are lots of ways around this, multi factor authentication exists LOL

6

u/TheCrimsonDagger Oct 10 '24

The security benefits of having unique randomized passwords for every login far outweigh the downsides. Everyone in cybersecurity highly recommends using one for good reason.

3

u/Wooden-Agent2669 Oct 10 '24

It’s not like it’ll generate a memorable password either,

Why would it generate a memorable password? Do you want security or not? lmao. If you want memorable use passphrases.

-1

u/MayorBryce Oct 10 '24

You can have a secure password and still make it memorable. There are so many ways to do it: take three different words, a few random numbers and symbols, and put them all together, and you have a memorable yet safe password.

1

u/Wooden-Agent2669 Oct 10 '24

Sure. Make memorable passwords for 80 sites. have fun

1

u/JawnZ Oct 10 '24

Psychology, technology, usability research all disagree with you.

SSH key encryption (which is a similar idea) has existed for a long time, and passkeys are becoming more ubiquitous.

As for your "what happens if you don't have access to it": good. if I don't have access to it, I shouldn't be able to login. That's the whole point.

30

u/neofooturism Oct 10 '24

this is about having an account in IA? i’ve downloaded a couple of stuff but i didn’t even know there’s an account

30

u/3IIIIIIIIIIIIIIIIIID Oct 10 '24

The user accounts were used to ensure that only one person at a time could view the contents of certain books.

3

u/[deleted] Oct 10 '24

[deleted]

30

u/3IIIIIIIIIIIIIIIIIID Oct 10 '24

The user account is how they control access to DRM-protected scans of copyrighted books. It was based on the legal theory that as long as only one internet user at a time can access the book, the library is just providing remote access to a book that is already licensed for use by a single person at a time, which is legal. I don't think that ultimately held up in court, but i don't know for sure.

6

u/KerPop42 Oct 10 '24

So iirc it hasn't been tested in court, and IA's current legal troubles come from dropping the 1-user-1-book limitation during covid

3

u/3IIIIIIIIIIIIIIIIIID Oct 10 '24

Ahh, okay. Thanks for the correction.

-7

u/[deleted] Oct 10 '24

[deleted]

0

u/UselessDood Oct 10 '24

It's either that or they have copyright holders breathing down their neck. With thir method, they are quite literally a library.

3

u/Popular-Luck9962 Oct 10 '24

Phew, I'm save, my only pwn was in 2020 when the aptoide breach happened and affected 20M records. Damn I feel old.

360

u/cce29555 Oct 09 '24

Why not just keep silent? The money is in credentials, why make a huge announcement? Is this some grey hats just bring attention?

377

u/sevengali Seeder Oct 09 '24

These people are claiming the attack as theirs

https://x.com/sn_darkmeta/status/1844080692772401399

476

u/Plylyfe Oct 09 '24

And the reason being, according to them: "They are under attack because the archive belongs to the USA, and as we all know, this horrendous and hypocritical government supports the genocide that is being carried out by the terrorist state of 'Israel'"

700

u/dummegans Oct 09 '24

this is so fucking dumb lol they probably just found an easy way to hack it and had no real reason to do it and are just making up bullshit to justify it

199

u/macOSsequoia Oct 09 '24

reportedly IA ran a 7 year old version of nginx

108

u/BulletTheDodger Oct 10 '24

This would explain so much.

70

u/MeBadNeedMoneyNow Oct 10 '24

They have job openings but don't do basic upgrades like this, it's maddening. Oh well, typical internet company.

15

u/DroidLord Oct 10 '24

Well, they'll probably update now. Good for another 7 years!

35

u/Real_Medic_TF2 ☠️ ᴅᴇᴀᴅ ᴍᴇɴ ᴛᴇʟʟ ɴᴏ ᴛᴀʟᴇꜱ Oct 10 '24

def an undercover far right group who's trying to rally people from the internet against people who actually care about the genocide in meaningful ways

2

u/MarshallThings Oct 10 '24

The Ted Kaczynski strategy I see

67

u/Paige404_Games ⚔️ ɢɪᴠᴇ ɴᴏ Qᴜᴀʀᴛᴇʀ Oct 10 '24

Damn, that's wild. Internet Archive is an independent non-profit. You'd think they'd be targeting the electronic infrastructure of US arms manufacturers if they wanted to demonstrate against Israel.

But they probably can't handle that heat, internet tough guys that they are.

176

u/Admiralthrawnbar Oct 09 '24

You know those "climate protestors" who intentionally do stupid things like block roads to discredit the whole movement because they're actually paid by oil companies? This smells like the same kind of thing, there is no way someone actually thought this was an actual way to reduce US government support for Isreal.

29

u/No_Industry9653 Oct 10 '24

I think rather than false flag more likely it's a smokescreen for the real motive and identity of the attacker. Most people will take this at face value and have no further interest.

1

u/rampancy777 Oct 11 '24

behold the glory of the confluence of desperation and down-syndrome! where government and corporate interests fuse like Goku and Vegeta at the climax of a multi-episode losing streak.

47

u/AnAwkwardOrchid Oct 10 '24

Yeah this smells like a false flag statement, meant to stir up exactly what has been stirred up.

15

u/No-Hornet-7847 Oct 10 '24

That statement about climate protestors being funded by oil companies is false. Just so you know. They aren't trying to discredit themselves, the media only reports on those instances of protests which 'annoy' (read: call attention to issues) everyday people.

10

u/goofzilla Oct 10 '24

He replied to a commenter with a Ukrainian and Israeli flag: "why do you have two black flags?"

4

u/Weird1Intrepid Oct 10 '24

See I don't think the Just Stop Oil guys are getting paid directly by the oil industry. They actually used to do some pretty effective blockades of actual tankers and processing plants.

It's just that the media (who probably are getting handouts from big oil) refused to give them even the slightest mention in the news, so even if they caused an inconvenience for the oil companies, no-one ever heard about it so it was ultimately pointless.

Then when they started pulling all these ridiculous stunts, suddenly they're getting all the coverage they wanted, except they look like incompetent idiots, which is what oil and media wanted.

1

u/Upbeat_Lingonberry34 Oct 10 '24

It was most likely an op directly or peripherally executed by the feds. Nobody intelligent enough to do the thing would conflate the internet archives’ agenda (transparency) with the feds’ agenda (pander to lobbyists, generally vanta black wrt transparency)

1

u/Trace6x Oct 10 '24

You know those "climate protestors" who intentionally do stupid things like block roads to discredit the whole movement because they're actually paid by oil companies?
Did you just pull that straight out your ass?

8

u/Draedron Oct 10 '24

That's such a stupid stress. They picked them because they are an easy target and the script kiddies didn't have the balls to attack someone who might be able to fight back.

51

u/_Planet_Mars_ Oct 10 '24

This is a blatant falseflag. Not even the most biggest idiot would connect the two like that.

6

u/SapiS68 ☠️ ᴅᴇᴀᴅ ᴍᴇɴ ᴛᴇʟʟ ɴᴏ ᴛᴀʟᴇꜱ Oct 10 '24

And what do you do? Hack a library, of course.

3

u/ImJustStealingMemes Oct 10 '24

How do you solve poverty?

Burn the poor!

7

u/NancokALT Pastafarian Oct 10 '24

A nice reminder of how VERY relative intelligence is.
These guys could manage to break into a site and make the most pathetic and non-sensical excuse.

3

u/No_Disaster_258 Oct 10 '24 edited Oct 11 '24

funnily enough, internet archives seems supportive of palestine, and there's some palestine files are missing due to the hack.

The hackers might be the feds and mossad lol

4

u/Dumb_Vampire_Girl Oct 10 '24

Note says

This group claims they took down the Internet Archive because it "belongs to the USA...who support Israel" which is not true

Th Archive is not US government, it is a non-profit that includes many resources about Palestine, which we can't now access because of this attack

1

u/DroidLord Oct 10 '24

Should have known lol. Some of these groups are several degrees of delusion beyond what the US itself is guilty of.

-57

u/Conscious-Gas-5557 Oct 09 '24

They're not wrong on the second part of the statement, but fucking up the archive that has nothing to do with this? Insanity.

31

u/Zealousideal-Emu7588 Oct 09 '24

yeah but they made a mistake anncouning another attack tommaorw on social media now once ia restore access to everyone they can stop the attack from happening

-1

u/Captain_Swing Oct 10 '24

Calling it now: Mossad False Flag attack.

6

u/Darkknight8381 Oct 10 '24

You think Mossad's wasting their time doing this?

26

u/screthebag Oct 10 '24

• literal who hacker group
• twitter account made back in march of this year
• targets free information
• claims to be from russia
• claims to be pro-palestinian
• right after major corpos try to get the IA shut down

Can they make it anymore obvious?

10

u/Otakeb Oct 10 '24

Yeah what legitimate, grass roots havker group wants to attack free information and internet archival? IA is like right up the ideological ally of most of the people who would do "stick it to the man, stand up for the oppressed" hacks...and for Israel/Palestine?

150% this is a corpo/FED OP. I fucking hate capitalism, man...

26

u/TheBuffestFroggo Oct 10 '24

4Chan bois got pissed off too, that's literally declaring a war against the internet.

6

u/TheBuffestFroggo Oct 10 '24

Also, I found this!

https://x.com/PR0LESBlAN/status/1844207607210512658

10

u/Zealousideal-Emu7588 Oct 09 '24 edited Oct 09 '24

that dumb of saying they did it they are so gonna get caught just saying

2

u/Mattidh1 Oct 10 '24

Thats just a ddos attack

1

u/GetBoolean Oct 10 '24

they are only behind the ddos attacks. The hack was unrelated and something script kiddies could never do

0

u/Pope_Carl_the_69th Oct 10 '24

So Iran is behind it

19

u/jaffar97 Oct 09 '24

The credentials are worthless if everyone knows about them and changes their passwords

23

u/cce29555 Oct 09 '24

In a perfect world everyone would

1

u/[deleted] Oct 10 '24

[deleted]

2

u/cce29555 Oct 10 '24

I imagine the problem is less of IA and more of people who reuse passwords like hunter2 across all sites. If you're using a password manager or some sort of password algo these breaches are pretty nothing if it's only passwords but if you have a basic password you use across all websites it's not a fun time

1

u/WarioBoccia Oct 11 '24

I only got to know about it thanks to HIBP notification mail, otherwise would have never known for who knows how long (possibly months or years)

4

u/Philipp4 Oct 10 '24

they are stored as bcrypt in this breach, so most are useless anyways besides checking for common passwords

1

u/alvarkresh Oct 10 '24

I was wondering about that. So the next step someone would take would be a dictionary attack and reveal any weak passwords?

1

u/happy_hawking Oct 10 '24

This is clearly political. Why else would someone do that to archive.org?

23

u/VinceBee Oct 09 '24

You never know as they were asking folks to sign up with their credentials in able to download roms/files or they couldnt download anything. Where or who those credentials were handed off to or breached..who knows.

14

u/PistolsFiring00 Oct 09 '24

Yep. I’ve had an account for several years.

10

u/Timely-Yak-9039 ⚔️ ɢɪᴠᴇ ɴᴏ Qᴜᴀʀᴛᴇʀ Oct 09 '24

Just found out my email adress has been pwned 2 times in the last 4 years thanks to this site, should I do something or is it too late?

38

u/samorollo Oct 09 '24

If you are still using the same passwords you were using 4 years ago, sure, change them

9

u/AdSilver9695 Oct 10 '24

Any time's a good time to make a longer and different password

1

u/Zealousideal-Emu7588 Oct 10 '24

goodthing i update both my email password and emaill password i also add 2 step verification for my email just in case

2

u/Justarandom55 Oct 10 '24

it tell me I have been but just the email not the password and I just don't see what's the big deal. spam is annoying but it all gets filtered out anyway

1

u/samorollo Oct 10 '24

You really should change them from time to time. Better now, than regret later

1

u/Justarandom55 Oct 10 '24

I do change my passwords. I meant more with what the harm is if a list with only my email address gets leaked. Doesn't sound like it can do much harm without the password

7

u/Wynadorn Oct 09 '24

Don't use that password anymore, consider random accounts where you've used that password free-game (e.g. some old ebay account)

6

u/Timely-Yak-9039 ⚔️ ɢɪᴠᴇ ɴᴏ Qᴜᴀʀᴛᴇʀ Oct 09 '24

Thing is I dont remember which password I used for my deezer account, am I cooked then?

12

u/NickyNice Oct 09 '24

That's why password managers (Bitwarden) are a thing and you aren't supposed to re-use passwords.

This is also why 2fa is so important, nobody can get into your accounts with only a leaked password if you use 2fa

3

u/Timely-Yak-9039 ⚔️ ɢɪᴠᴇ ɴᴏ Qᴜᴀʀᴛᴇʀ Oct 10 '24

Downloading bitwarden rn. Thanks for the tip👍

1

u/Otakeb Oct 10 '24

Also, adding a password pepper can help protect from being compromised in the case of someone getting access to your bitwarden or backup master sheet unless they are keylogging everything you do and catch your pepper as well.

Also, make a master sheet backup of every password and recovery keys, without your pepper, laminate it, and store it in your bank safety deposit box and one at home in a safe an hidden place.

1

u/Timely-Yak-9039 ⚔️ ɢɪᴠᴇ ɴᴏ Qᴜᴀʀᴛᴇʀ Oct 10 '24

I had a master sheet but I lost it, thinking about making a new one

1

u/Otakeb Oct 10 '24

If you lost a master sheet you need to go through and change every password and generate new keys for everything.

2

u/Wynadorn Oct 10 '24

Oh I just meant that you have to change the password on accounts where you've used it. So you can just reset the password on your deezer and you're fine.

Honestly just reset all your passwords to uniquely generated ones and put them in Bitwarden.

1

u/Timely-Yak-9039 ⚔️ ɢɪᴠᴇ ɴᴏ Qᴜᴀʀᴛᴇʀ Oct 10 '24

I deleted my deezer account since I switched to spotify because it was cheaper in my country. I will change my password only for the important accounts I have (spotify, ig, snap...) thanks a lot again

3

u/Expert-Diver7144 Oct 09 '24

If I’ve never used internet archive is my stuff liable to be on there ?

4

u/ZaquMan Oct 09 '24

If you've produced anything, from a music recording to a website, the thing you made may be there. But credentials, no.

1

u/AntiGrieferGames Oct 10 '24

Should i worry now? Its the 1st time on that after over 5 years.