Internet Archive Breach Exposed 31 Million Accounts Amid Site Defacement and DDoS
Internet Archive confirmed a breach that exposed data tied to 31 million user accounts after attackers displayed a malicious JavaScript pop-up on the site announcing the intrusion. According to reporting validated by security researcher Troy Hunt and others, the stolen data dated to September 2024 and included email addresses, screen names/usernames, bcrypt password hashes, and other system data from the organization's digital library platform.
The disclosure unfolded as Internet Archive was also contending with intermittent distributed denial-of-service attacks that disrupted availability and a site defacement linked to a compromised JavaScript library. Founder Brewster Kahle said security upgrades were underway; hacktivist group BlackMeta claimed responsibility for the DDoS activity, while the actor behind the underlying data theft was not identified. The breach was later cataloged by Have I Been Pwned as affecting 31 million records.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Have I Been Pwned adds the Internet Archive breach
Have I Been Pwned listed the Internet Archive breach in March 2026, documenting the incident as affecting 31 million records from the September 2024 compromise. The entry summarized the exposed data types, including email addresses, screen names, and bcrypt password hashes.
DDoS attacks disrupt Internet Archive services
Around the same time as the breach disclosure in early October 2024, Internet Archive faced intermittent distributed denial-of-service attacks that forced services offline. Hacktivist group BlackMeta claimed responsibility for the DDoS activity, though not for the underlying data breach.
Internet Archive confirms breach after website defacement
On October 7, 2024, Internet Archive confirmed the breach after attackers displayed a malicious JavaScript pop-up on its website announcing the incident. Founder Brewster Kahle also said the site had been defaced via a JavaScript library and that security upgrades were underway.
Internet Archive is notified of the breach
On October 6, 2024, Troy Hunt notified Internet Archive about the stolen data. This appears to have been a direct disclosure step before the organization publicly confirmed the incident.
Troy Hunt reviews the breach data
Hunt reviewed the stolen Internet Archive data on October 5, 2024, confirming it contained 31 million unique email addresses and associated account information. This analysis helped establish the breach as legitimate.
Troy Hunt receives stolen Internet Archive data
Security researcher Troy Hunt said he received the stolen dataset on September 30, 2024. The data related to the Internet Archive breach and later helped validate the scope of the exposure.
Internet Archive suffers breach exposing 31 million records
In September 2024, Internet Archive experienced a data breach affecting its digital library systems. The stolen data included about 31 million records with email addresses, screen names or usernames, bcrypt password hashes, and other system data.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Anonymous Breach of Stratfor Exposed Customer Data and Millions of Internal Emails
Anonymous-affiliated attackers breached private intelligence firm **Stratfor**, stealing subscriber records, payment data, and a vast archive of internal correspondence. Reporting on the intrusion said the attackers accessed administrative systems, expanded into databases and mail servers, and exfiltrated data affecting about **860,000 user accounts** and more than **60,000 credit cards**; some reports said card numbers were stored in plaintext, while passwords were protected with weak **unsalted MD5** hashes. The attackers defaced Stratfor’s website, deleted server contents, published stolen card data, and used some of the payment information for fraudulent charitable donations, contributing to losses that reports put at at least **$700,000** and broader damages of roughly **$2 million**. The breach escalated when **WikiLeaks** began publishing roughly **5 million Stratfor emails**, exposing the firm’s client relationships, source-handling practices, monitoring of activist groups, and sensitive geopolitical claims contained in internal messages. Subsequent reporting said the FBI had visibility into parts of the operation through informant **Hector Xavier Monsegur ("Sabu")** and later built its case against alleged participant **Jeremy Hammond**, while Stratfor faced delayed customer notification and legal fallout. Years later, researchers also warned that some documents in the leaked Stratfor archive contained live malware, including files exploiting **`CVE-2010-3333`**, creating additional risk for journalists and researchers who downloaded the material.
May 26, 2026
Anonymous Leak of Epik Data Exposed Far-Right Sites and Federal Records
Hacktivists claiming to be **Anonymous** said they breached web host and domain registrar **Epik**, a provider used by sites including **Gab**, **Parler**, **QAlerts**, and other far-right platforms, and released what they described as roughly a decade of internal and customer data. Reports said the dump included domain registration and transfer records, account credentials, emails, payment history, employee mailbox contents, and more than **500,000 private keys**, affecting data tied to more than **15 million people and websites**. Epik CEO **Rob Monster** initially downplayed the incident, then later acknowledged in a public video session that company backup data appeared to have been compromised and said information from the breach was allegedly used in an attempt to target his Coinbase account. Subsequent reporting said the leaked records exposed internal support tickets, subpoenas, and preservation requests for customer information, including requests that appeared linked to investigations after the **Jan. 6 Capitol riot** and at least one FBI request tied to a domain allegedly connected to malware used in the **SolarWinds** intrusion. The data also reportedly helped trace efforts by figures such as **Ali Alexander** to obscure domain ownership and digital infrastructure, while additional releases expanded scrutiny of how hosting and registrar services supported extremist networks online. The breach became one of the most consequential hacktivist leaks involving internet infrastructure providers because it revealed both customer identities and sensitive law-enforcement-related records.
May 25, 2026
Massive Credential Exposure Reveals Billions of Stolen Login Records
Researchers and media reports disclosed enormous troves of exposed login data, including an unprotected 47.42 GB database containing **184,162,718** unique usernames and passwords tied to services such as Microsoft, Facebook, Google, Instagram, Snapchat, Discord, Netflix, PayPal, and government portals in 29 countries. Security researcher Jeremiah Fowler found the database on an unmanaged server with no password protection or encryption, and sample records included account types, website URLs, and plaintext passwords labeled `senha`. Fowler said multiple individuals confirmed the leaked credentials were genuine after he contacted them directly. The exposed records are believed to be linked to **infostealer malware** and broader malware-as-a-service collection operations, with subsequent reporting describing a far larger cache totaling **16 billion** credentials affecting major consumer platforms including Apple, Facebook, and Google. The disclosures raise immediate risks of credential stuffing, account takeover, phishing, fraud, and unauthorized access to corporate and government systems. Public access to the 184 million-record database was later restricted after responsible disclosure to the hosting provider, but the owner of the data remains unidentified.
May 25, 2026