Internet Archive was recently hacked. They posted a message:
What we know: DDOS attack-fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords.
I have an account on Internet Archive. Should I reset my password once their site is fully operational?
Unless you have proof that the passwords were not accessed or compromised, then you should err on the side of caution and change it.
And if you re-use that same password (or pattern) anywhere else, you should change those as well.
This shouldn’t even be considered.
Reseting your password takes almost no time effort, and no money to do: you might as well do it even if the chances of account compromise is small.
It’s like putting on a seatbelt: a small measure that might just save your life.
Yes.
I am not clear on what "salted-encrypted" means. Typically passwords are hashed using a password hash, which includes a salt. Salted-encrypyted could mean the password hashes are additionally encrypted, or it could be an incorrect term where encryption is confused with hashing.
Although not straightforward, it is likely that plaintext passwords are recoverable from these "salted-encrypted passwords". This is more likely if your password is less complex and easy to guess. Therefore, it is possible that attackers can obtain your password.
If you reuse the same password in other locations, you should also change your password on those other sites. Attackers may try to use your Internet Archive password to log in to other sites.
Update: the passwords were hashed with bcrypt with cost factor 10, not additionally encrypted. This is possible but slow to brute force.
Yes. Internet Archive founder Brewster Kahle has confirmed that there was a "breach of usernames/email/salted-encrypted passwords". Because they're responsible, you can expect your account to be locked and require a password reset when they come back online.
If you use the same password anywhere else, you should change that now. Then go in and change any other password used in multiple places.
Changing your password should be your first reaction to any such announcement. If that is a burden for you, you need to change how you think about passwords as they should all be disposable and trivially replaceable using your password manager's password generator. Breaches are happening with increased frequency, so there's no other way to go about this for sites that haven't fully removed passwords in favor of alternate methods like passkeys.
You can get updates through Twitter/X, Bluesky, and Mastodon, the last of which says:
Wayback Machine running strong (yippie!).
Still working to bring archive.org items & other services online safely.
@internetarchive team spirits high, but tired.
While the Wayback Machine is now operational (as a "provisional read-only" service), the main site is not (see the latest archive of https://archive.org). It'll be back soon and then you should change your password (even if they don't require you to do so).
Controversially: It's not that urgent.
Other answers cover why you might want to change it, but they are talking about best practices and not really thinking about the exact case. I think there's value in looking at the specifics so we can learn from them (spoiler: properly hashing stored passwords is good). Let's break it down.
Background of IA's password storage:
Here's an example extract from the database, from the article here: $2a$10$Bho2e2ptPnFRJyJKIn5BiehIDiEwhjfMZFVRM9fRCarKXkemA3PxuScottHelme.
This is bcrypt with 2^10 = 1,024 rounds, which is the default in many implementations (see here for how to parse this string). You can see that people were recommending higher rounds than back in 2015 on this very website.
It is possible that accounts that set/changed their password later (above example was set in 2020) were assigned higher rounds, but best practice is to update such things on a login when the site has access to the plaintext password, can compare it against database, and can re-hash it with higher amount of rounds (or even a different algorithm) to then save on the database again. (We don't know if the journalist logged in since 2020 either though.)
For simplicity let's assume that they were using 2^10 rounds for everyone.
Impact:
I don't trust myself with benchmarking it, but a user benchmarked it here on an Apple M3 Max CPU (albeit on Python) and each attempt to hash took 84.8ms on bcrypt with 2^10 rounds.
In bcrypt the salt is 16 bytes, the password hash itself 24 bytes. This is fairly secure against rainbow tables, so depending on your password length, if it isn't shared with a different website, isn't one of the common passwords or vulnerable to a wordlist attack, bruteforcing it is the only option left available.
Even with just a 8 character password containing only a-zA-Z0-9, even if the characterset and password length was known, that'd take 584117 years (0.0848 * ((26+26+10) ** 8) seconds) of CPU time to exhaust all options (if running on an M3 max, probably on a single core, running in python. more optimized setups will obviously take less).
It's still good practice to do it, but I have a long and random password, so I for one am not worrying about following exactly when IA is going to return, I don't care to log in and change my password ASAP. I'll find out at some point that it's back, then I'm going to change it when I find time. In the future there may be developments in technology that cuts this time down significantly of course, so you shouldn't leave it as-is forever.
