State actors? Maybe.
It’s a bit tinhatty, though I’m betting on something akin to corporate espionage pointed at the Internet Archive.
Could just be a 14 year old kid with a bit of talent too. Wouldn’t be the first time.
I can’t think of any reason to attack that website, what have they done wrong?
I just sent a DMCA takedown last week to remove my site. They’ve claimed to follow meta tags and robots.txt since 1998, but no, they had over 1,000,000 of my pages going back that far. They even had the robots.txt configured for them archived from 1998.
I’m tired of people linking to archived versions of things that I worked hard to create. Sites like Wikipedia were archiving urls and then linking to the archive, effectively removing branding and blocking user engagement.
Not to mention that I’m losing advertising revenue if someone views the site in an archive. I have fewer problems with archiving if the original site is gone, but to mirror and republish active content with no supported way to prevent it short of legal action is ridiculous. Not to mention that I lose control over what’s done with that content – are they going to let Google train AI on it with their new partnership?
I’m not a fan. They could easily allow people to block archiving, but they choose not to. They offer a way to circumvent artist or owner control, and I’m surprised that they still exist.
So… That’s what I think is wrong with them.
From a security perspective it’s terrible that they were breached. But it is kind of ironic – maybe they can think of it as an archive of their passwords or something.
Good thing I use archive.org without creating an account.
Spare a thought for the users with accounts who upload content to IA for you to enjoy.
I recently went through most of my accounts and randomized the username, with the thought here being to limit the likelihood of one site being compromised leading to accounts at other sites being compromised. I don’t have to remember them due to using a password manager, so it’s really no skin off my nose.
I’ll use this as a reminder to everyone to improve your security. Some ideas:
- use a password manager and use random usernames and passwords
- have multiple email accounts, and don’t use your “main” email w/ random signups - I use a simple mnemonic, like “<user>-<purpose>@domain.com”; so “me-shopping@domain.com” or “me-games@domain.com” so it’s easy for me to remember, but unlikely for a lazy hacker to pwn other accounts (a lot of these are automated); my real email is “me@different-domain.com”
- use 2FA if offered, even if it’s stupid SMS or email based; having any extra step can deter an attacker
Sucks that people are targeting IA, I hope there isn’t any lasting damage and that this is a simple defacement/DOS.