Introduction
On October 20, 2023, the Internet Archive experienced a major cyberattack [3] [7], which was the latest in a series of security breaches that month. This incident exposed significant vulnerabilities in the organization’s token management practices, leading to unauthorized access to sensitive user data and raising concerns about the organization’s cybersecurity measures.
Description
On October 20, 2023, the Internet Archive suffered a significant cyberattack, marking the culmination of a series of breaches that month. The most recent attack followed an initial breach on October 9, when hackers exploited a publicly exposed GitLab configuration file on one of the organization’s development servers. This file contained an authentication token that allowed access to the Internet Archive’s source code, leading to the theft of sensitive information from approximately 31 million users. The attackers subsequently targeted the Archive’s Zendesk platform, utilizing unrotated API tokens to access thousands of support tickets [6], some of which contained personal identification documents [6].
Several users reported receiving mass emails that appeared to originate from the Internet Archive Team [1], which contained a stolen access token for the organization’s Zendesk account [1]. This token [1] [3] [5] [6], which had not been rotated, granted unauthorized access to over 800,000 support tickets submitted to info@archive.org dating back to 2018, as well as sensitive user data, including email addresses [5], screen names [5], and password modification timestamps [5]. The breaches highlighted significant vulnerabilities in token management [6], as the unrotated tokens enabled repeated access to sensitive information across multiple incidents [6].
The emails criticized the Internet Archive for its failure to secure and rotate exposed API keys, including the Zendesk token [3] [4] [10], despite a breach notification issued two weeks prior [2]. Although the emails were sent from an unauthorized source [1], they successfully passed email security checks [1], suggesting they may have come from an authorized Zendesk server [1]. Security research group Vx-underground noted that the individuals responsible for the breach likely still have persistent access to the Internet Archive’s systems [1], compounding the damage from earlier attacks. Following the breach [3] [6] [9], hackers began responding to support tickets submitted by users [3], indicating they may have gained access to the Zendesk API token [3].
Cybersecurity expert Jake Moore emphasized the importance of conducting a thorough audit following such incidents [1], as malicious actors are likely to continue testing defenses [1]. Chris Hickman [2] [10], Chief Security Officer at Keyfactor [2] [10], highlighted the risks associated with unrotated tokens [2], stating that they can lead to unauthorized access [2], potential misuse [10], service disruptions [10], and damage to the organization’s reputation [10]. Internet Archive founder Brewster Kahle acknowledged the breaches and stated that efforts are underway to improve security and strengthen defenses. The Internet Archive has not publicly commented on this incident but has recently requested donations to support its mission of promoting open access to knowledge resources [10]. Users whose data was compromised are advised to remain vigilant against potential phishing attacks [6], as hackers may use the stolen information to craft convincing fake emails aimed at obtaining login credentials or personal details [6]. The identity of the attackers remains unclear [8], with indications that the breach may have been orchestrated by a Russian hacker group, further complicating the situation.
Conclusion
The cyberattacks on the Internet Archive underscore the critical need for robust cybersecurity measures, particularly in managing and rotating API tokens to prevent unauthorized access. The breaches have not only compromised sensitive user data but also highlighted the potential for reputational damage and service disruptions. Moving forward, the Internet Archive must prioritize strengthening its security infrastructure and conducting comprehensive audits to mitigate future risks. Users are advised to remain cautious and vigilant against phishing attempts, as the stolen data could be used for further malicious activities. The ongoing investigation into the identity of the attackers continues, with potential implications for international cybersecurity dynamics.
References
[1] https://www.infosecurity-magazine.com/news/stolen-tokens-internet-archive/
[2] https://mashable.com/article/internet-archive-still-being-hacked-support
[3] https://www.malwarebytes.com/blog/news/2024/10/internet-archive-attackers-email-support-users-your-data-is-now-in-the-hands-of-some-random-guy
[4] https://www.theverge.com/2024/10/20/24274826/internet-archive-hackers-replying-zendesk-tickets
[5] https://www.csoonline.com/article/3573962/internet-archive-breached-twice-within-days.html
[6] https://techround.co.uk/news/internet-archive-3rd-data-breach/
[7] https://www.forbes.com/sites/larsdaniel/2024/10/20/internet-archive-breached-again-third-cyber-attack-in-october-2024/
[8] https://www.heise.de/en/news/Next-cyberattack-on-the-Internet-Archive-access-to-countless-emails-9987768.html
[9] https://www.zdnet.com/article/more-of-internet-archive-is-back-online-despite-hackers-infiltrating-its-helpdesk/
[10] https://www.darkreading.com/cyberattacks-data-breaches/internet-archive-pummeled-round-2-breach