Blog

The Internet Archive Hack: How JavaScript fits in the picture

The Internet Archive, also known as The Wayback Machine, experienced a security breach yesterday. This was not the first time it had been ta

Oct 18, 2024 • 2 min read

Simon Wijckmans Founder & CEO

What happened at the Internet Archive

The Internet Archive, known best for The Wayback Machine, experienced a security breach yesterday. This was not the first time it had been targeted.

A mocking JavaScript popup appeared, stating:

Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!

Mocking JavaScript popup left by attackers on the Internet Archive

HIBP, short for Have I Been Pwned?, is a site where users can check if their personal information has been compromised in a data breach. Troy Hunt, who runs HIBP, told BleepingComputer that he received a file days ago containing internal data for 31 million unique email addresses. He verified the data’s authenticity by comparing it with a user’s account details.

Have I Been Pwned listing of the Internet Archive breach data

The Internet Archive is an invaluable resource when researching cyberattacks. During our investigation into the Polyfill attack, we used it to uncover a fraudulent “Cloudflare Security Protection” tag.

Internet Archive snapshot of the polyfill.io homepage during the attack

It's disheartening to see non-profit organizations targeted by cybercriminals. While this incident involved a backend breach, no website is fully protected from the client-side attacks that we defend against.

As a result, we have decided to offer our services free of charge to any non-profit organization. Those that wish to use cside for their non-profit organizations will gain access to our advanced tools at no cost.

Founder & CEO Simon Wijckmans

Founder and CEO of cside. Previously a product manager on Cloudflare Page Shield (now Cloudflare Client-Side Security). Co-chair of the W3C Anti-Fraud Community Group and a Forbes 30 Under 30 honoree. Building accessible security against client-side attacks — web security is not an enterprise-only problem.

Back to top

Don't just take our word for it, ask AI

FAQ

Frequently Asked Questions

Attackers used a JavaScript popup on archive.org to taunt visitors and likely abused a vulnerable client-side dependency to escalate access. The data of 31 million users was later confirmed leaked to Have I Been Pwned.

Researchers and journalists rely on archive snapshots to investigate breaches. When the archive itself is compromised, the evidence trail for other supply chain attacks — like Polyfill — becomes harder to verify.

Monitor and Secure Your Third-Party Scripts

Gain full visibility and control over every script delivered to your users to enhance site security and performance.

Book a demo

Start for free

Start free, or try Business with a 14-day trial.

cside dashboard interface showing script monitoring and security analytics

GDPR and Online Gambling: Why Unauthorised Pixels Create a Dual Liability Problem

Unauthorised pixels on gambling sites trigger GDPR liability and ad-account bans at once, even when the operator never installed them. Here's why.

How to Block Bytespider (TikTok's AI Crawler)

Bytespider crawls your site for Bytedance's AI systems. Learn how to block it with robots.txt and IP ranges, and the key data sovereignty concerns.

Dark blog cover showing three malicious script casino attack methods: redirects fired from inside the browser, shadow GTM containers loading rogue tags, and geo-targeted mobile-only payloads

How Malicious Scripts Hijack Casino Player Journeys

Script-injected redirects divert casino players before they reach the lobby. Network tools miss them entirely. Here's how detection must work.

Dark cside blog cover with a blue pixel wave and checklist about APAC gambling script security

Client-Side Script Security for APAC Online Gambling Operators

How APAC online gambling operators in Japan, Singapore, the Philippines, and Australia can monitor third-party scripts across real player sessions.

How to Block Amazon Buy for Me on Your Website

Amazon Buy for Me shops your site for Prime users. Learn how it collects pricing and product data and how browser-layer detection gives you control.

Account Takeover Prevention: The Complete 2026 Playbook

The 2026 account takeover playbook: an end-to-end model for login, recovery, session, and post-auth defense against AI-agent and bot-driven attacks.

Dark cside blog cover with a blue pixel wave and checklist about compromised affiliate scripts stealing casino revenue

How Compromised Affiliate Scripts Steal Online Casino Revenue

Compromised affiliate scripts redirect players, steal commissions, and manipulate UTM attribution on casino pages, silently and at scale.

Dark blog cover showing three browser extension attack vectors: redirects to phishing clones, session token theft and account takeover, and payment fields rewritten at the DOM

How Browser Extensions Attack Online Casino Players: What Operators Can Do About It

Browser extensions can steal session tokens and hijack payments on casino sites. Here's how they attack, why servers miss it, and how to detect them.

How to Block AI-Powered Fake Account Creation

AI agents create fake accounts with human-like behaviour that defeats CAPTCHA. Learn the browser-layer signals that reveal automated registrations.

How to Block CCBot (Common Crawl's AI Crawler)

CCBot feeds Common Crawl datasets used to train GPT-3, BLOOM, LLaMA, and many other AI models. Learn how to block it and what blocking actually does.