back to article Internet Archive user info stolen in cyberattack, succumbs to DDoS

The Internet Archive had a bad day on the infosec front, after being DDoSed and having had its user account data stolen in a security breach. On Wednesday afternoon US time the outfit’s digital librarian Brewster Kahle revealed a DDoS attack had made the site unavailable. The Register understands the maliciously caused outage …

  1. Pascal Monett Silver badge

    haveibeenpwned

    I have two email addresses that haveibeenpwned indicates have been implicated in 4 and 3 pwnages, but that just means that somebody got my email address and the password I used for those sites.

    If you don't use the same password for everything, it is less important.

    1. parlei

      Re: haveibeenpwned

      About the same here: mine is now a different, and slightly longer, character sallad than it was yesterday. But for alla the "it is just a website, I'll use the same one" people out there...

    2. Lee D Silver badge

      Re: haveibeenpwned

      There's a reason that for years I've been using not only unique passwords but unique emails at my domain.

      Just in the last week, I've seen emails to the addresses I used for NextDoor, Scan.co.uk and others that are not being sent by that company.

      That means that, at minimum, their employees are sharing their customer database emails with spammers, but could also indicate a compromise.

      However, in a breach none of those passwords would be useful on other sites, and none of those emails would be useful with those passwords elsewhere, etc. and I *KNOW* that something was breached in some fashion (even if that's just an email list leak) even though neither of the above appear on HaveIBeenPwned.

      I have "2FA" on my accounts, in effect, and someone breaching my NextDoor account would get logins and emails that only work on NextDoor and nowhere else (even if you try to mix and match emails at my domain with passwords I've used elsewhere).

      1. Anonymous Coward
        Anonymous Coward

        Re: haveibeenpwned

        I've also used different emails at different sites based on my own domain name (the emails forward to my brace of actual email addresses)

        So although websitename@mypersonaldomainname.tld might be guessed, your criminal sort will get nowhere trying that against the Tat Bazaar website

        1. Lee D Silver badge

          Re: haveibeenpwned

          I have a Postfix rule that validates the email address according to a set of non-obvious, non-inferrable rules and if valid forwards it onto my real email account.

          Best way to spot spam, phishing, credential theft, etc. "Oh look, an email from Paypal... except that's NOT the email address I gave Paypal".

          But also, if you try to make up an email at my domain yourself, you can't without knowing the rules.

          The power of regex...

          1. Philo T Farnsworth Silver badge

            Re: haveibeenpwned

            Would you be willing to share the Postfix rule?

            I've been using the 'recipient_delimiter' rule to add an identifier to email address. For instance foobar+baz42@example.com gets sent to the foobar account and I can use procmail (yes, I'm pretty Old School -- I even use mailx as my primary MUA though I keep Thunderbird for things that require a graphical mail reader) rules to sort and/or trash emails based upon the suffix. I create a different suffix for each signup.

            Unfortunately, that doesn't allow me to respond to an email using that same From: address, which reveals my unadorned user name. That disparity can actually confuse some correspondents and cause transactions to fail.

            And as confessed elsewhere, yes, I'm pretty much lunatic fringe and loving every minute of it.

            1. Lee D Silver badge

              Re: haveibeenpwned

              Not my particular one, no. I wouldn't even claim to understand it any more!

              It's a complex regexp built up over years, but to give you an example:

              If I wanted to give, say, Microsoft an address.... I could use microsoftnn@domain.

              And nn would be a factor of the word "microsoft". For instance, length. Or how many vowels (easily countable in your head). Or some similar metric / formula.

              Then if I'm asked on the fly for an email, I can craft one. If someone makes one up and doesn't know the rule, it won't generate a valid email. Email that doesn't meet the regexp (in the "virtual" alias file in Postfix, for example) will just bounce as not being valid. New emails don't require me to explicitly set them up, so long as they match the rule (and because it's a virtual alias, all valid ones at my domain are just forwarded to my real email account on one line). And when I receive them at the endpoint, I know if it came from my mail server it must have matched those rules.

              I don't even do things THAT simply... the address wouldn't be microsoft, for instance, but something I know that is related to Microsoft... i.e. I might use "redmondnn@" for example. Then if I get an email purporting to be from Microsoft and it's addressed directly to my final email account... it's a fake. If it's addressed to anything other than redmondnn@, then it's a fake. And if it's addressed to redmondnn@ then I know that that is the precise email that I gave Microsoft and Microsoft alone (so either they have released that email somehow, or I've been compromised).

              And yet when I speak to companies or sign up on their website on a foreign device, all I need to do is make up an email, work out the "score" that goes on the end in my head, and provide it to them and they likely would never query it at all because it just looks like an ordinary email address ("johnsmith43@" etc. are common).

              One regexp, and I'd have to sit and spend a week deciphering it admittedly because it's more complex than the above!, and all my "phishing identification" and catch-all spam goes away.

    3. Mike007 Silver badge

      Re: haveibeenpwned

      My number 1 piece of advice to people is a password manager (other than the one built in to the browser). Makes unique randomly generated passwords a no-brainer.

    4. Elongated Muskrat Silver badge

      Re: haveibeenpwned

      Not quite; they got a salted hashed password, which means they have a means to start trying to work out your password for that site, offline.

      Because the passwords are salted, it means that they won't be able to use a "rainbow table" attack to try to break the password encryption for multiple accounts at once. This is where they take a table of all possible passwords and hash them all using the same algorithm, and the go hunting for matching hashes. The salting prevents this.

      It does mean they can use a dictionary attack to try to break individual passwords. If you have used a unique password for this site, then that's not a problem, you just need to change your password.

      If you re-use passwords, as a lot of people do, it's potentially more of a problem, depending on whether you re-use passwords only for services that require you to sign up with a password, but which you don't care about, such as online retailers you'll never use again, and to which you never give your card details.

      Unfortunately, if you re-use passwords, don't bother with 2FA, and use the same password for everything, like a lot of people still do, then, apart from now needing to change the same password on every single site you've used it on, you're also an idiot.

  2. CowHorseFrog Silver badge

    The most important technical detail aka the name of the "bad javascript library is not in the article!

    1. Quando

      JavaScript library is enough. Avoid.

      1. CowHorseFrog Silver badge

        Im sure that helps the audience spot the problem... i mean why tell the doctor what is hurting , why have a few tests, when you can just speak like a caveman...

    2. diodesign (Written by Reg staff) Silver badge

      JS lib

      Not known yet - as soon as we know, we'll let you know.

      C.

  3. PM.

    "That's tough" , one exec at some powerful publishing company, was heard, while sipping his Dom Perignon.

  4. Zippy´s Sausage Factory
    Unhappy

    Copyright lawyers will now have the chance to match user names with emails. They're going to have a field day

  5. xanadu42
    Megaphone

    Wayback Machine Timeout

    Just tried https://web.archive.org/ and got a timeout :(

    Seems like their issues may be quite serious

    https://www.isitdownrightnow.com/web.archive.org.html

    Also reports site is down

    1. heyrick Silver badge

      Re: Wayback Machine Timeout

      Maybe coincidence, but Bing was down for me yesterday evening (Europe time) and is still down now. Is something larger going on?

      Edit: Interesting, it's inaccessible to me (in France) and https://downforeveryoneorjustme.com/bing but https://www.isitdownrightnow.com/bing.com.html reports no problems.

  6. Anonymous Coward
    Anonymous Coward

    Oh the irony

    One minute you are nailed in court for pirating other people's copyright materials on a grand scale, the next you find other people's data you rightfully curate pirated on a grand scale. It's a hard life.

  7. JessicaRabbit

    I wonder if these attacks are random* or if the Internet Archive is being targetted for some reason if it's the latter, what the attacker's motivations might be.

    * They were low hanging fruit detected by vuln scanners

    1. ThomH Silver badge

      It's been claimed by a pro-Palestinian group, though I don't think that's been verified independently.

      And, no, I also don't see the connection.

      1. O'Reg Inalsin

        allegedly claimed by a group alleging to be a pro-Palestinian group is surely more accurate.

  8. steviebuk Silver badge

    You have to be

    some sort of real cunt to screw over archive.org.

    What knobs. The ones doing the robbing, not archive.org

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like