The Internet Archive has confirmed getting hacked and suffering a data breach, with as many as 31 million users reportedly being impacted.

The Internet Archive is a non-profit digital library hosting millions of applications, videos, audio files, print materials, and images. Its Wayback Machine service has captured hundreds of billions of web pages.

According to Troy Hunt, the administrator of the popular data breach notification service Have I Been Pwned (HIBP), data taken from the Internet Archive started circulating at some point before September 30. 

Hunt managed to analyze the data on October 5 and uploaded it to HIBP on October 9 to allow users to check if they are impacted. 

Over 31 million compromised Internet Archive records have been added to HIBP, including email addresses, usernames, and password hashes (generated with the Bcrypt algorithm). 

It’s worth noting that the difficulty of cracking Bcrypt-hashed passwords depends on the strength of the password — it can be done within minutes if the password is weak, but it can take millions or billions of years to crack strong passwords. 

In addition to the data breach, the Internet Archive website was defaced with a message announcing the breach, and the site went offline several times in the past few days due to a DDoS attack.

The Internet Archive has yet to share any details, but its founder, Brewster Kahle, has confirmed that the service has been offline for much of the time since Tuesday due to a DDoS attack. The website is still offline at the time of writing. 

Kahle has also confirmed that the Internet Archive website has been defaced (blamed on a JavaScript library), and that usernames, email addresses, and salted and encrypted passwords have been compromised.

“What we’ve done: Disabled the JS library, scrubbing systems, upgrading security,” Kahle said in the latest update shared on X. 

Related: Casio Hit by Cyberattack

Related: CreditRiskMonitor Data Breach Impacts Employee Information

Related: Physical Security Firm ADT Hacked Again