Read more about Internet Archive’s wave of cyber-attacks:
- Internet Archive Breached, 31 Million Records Exposed
- Internet Archive and Wayback Machine Resurrect After DDoS Wave
- Stolen Access Tokens Lead to New Internet Archive Breach
Customer service provider Zendesk has helped Internet Archive resolve a breach that let hackers send emails on behalf of the digital library.
In the latest episode in a series of cyber-attacks that saw Internet Archive hit by DDoS attacks and a website defacement, a threat actor sent many of the library’s users an email seemingly from the Internet Archive team sharing a stolen access token for the digital library’s Zendesk account.
This was confirmed by an Internet Archive blog post on October 21, which declared that “hackers disclosed archive.org email and encrypted passwords to a transparency website, and also sent emails to patrons by exploiting a third-party helpdesk system.”
Internet Archive’s Security Failures
Speaking to Infosecurity, a Zendesk spokesperson said that Internet Archive did not secure its authentication tokens, which enabled unauthorized access to their Zendesk instance. The Zendesk team has since worked with Internet Archive to secure the non-profit’s account.
“It’s important to note that there is no evidence this was a Zendesk issue and that Zendesk did not experience a compromise of its platform,” the spokesperson added.
News site BleepingComputer said the hacker behind the Internet Archive breach contacted them and claimed they managed to get hold of an exposed GitLab configuration file on one of the organization's development servers, services-hls.dev.archive.org.
This file allegedly contained an authentication token allowing the threat actor to download source code from Internet Archive.
This source code likely contained the application programmable interface (API) access tokens for Internet Archive's Zendesk customer support system.
Speaking to Infosecurity, Josh Lemos, GitLab's CISO, commented: “It is imperative that users implement security best practices by rotating personal, group, and project access tokens and use a key management server (KMS) for securely storing secrets. Storing key material, including tokens and API keys in configuration files, is a security anti-pattern.”
He also said that starting in version GitLab 16.0, all access tokens now have a forced expiry date as a security best practice to ensure that leaked tokens are not usable forever.
BleepingComputer reported that it had "repeatedly tried to warn the Internet Archive about their source code being stolen due to a GitLab authentication token that had been exposed online for nearly two years."
Questions About Allegedly Compromised Data
In its latest blog post, Internet Archive did not say whether the data allegedly accessed by the threat actor in the non-profit’s source code was safe.
“The safety and integrity of the Internet Archive’s data and patrons remain our top priorities. As the security incident is analyzed and contained by our team, we are relaunching services as defenses are strengthened. These efforts are focused on reinforcing firewall systems and further protecting the data stores,” the library’s message read.
Some of the Internet Archive services have now resumed, including the Wayback Machine (starting October 13) and Archive-It (October 17), and archive.org has been made available in a read-only manner since October 21.
This is a developing story and will be updated as more information becomes available.