Hours after the Internet Archive was reportedly back on its feet following a wave of cyber-attacks, it seems that the world’s largest digital library is in hot water again.
On October 20, several Internet Archive users and media outlets reported having received an email seemingly from the Internet Archive Team sharing a stolen access token for the digital library’s Zendesk account, a customer service platform that provides tools for managing support tickets.
The email accused the Internet Archive of not doing the due diligence of rotating many of the API keys that were exposed in their GitLab secrets.
It continued: “As demonstrated by this message, this includes a Zendesk token with perms to access 800K+ support tickets sent to info@archive.org since 2018.”
“Whether you were trying to ask a general question, or requesting the removal of your site from the Wayback Machine your data is now in the hands of some random guy. If not me, it'd be someone else.”
Although this email came from an unauthorized source, it appears to have passed email security checks, suggesting it came from an authorized Zendesk server.
Security researching group Vx-underground commented on X: “It appears that the person(s) who compromised The Internet Archive still maintain some form of persistent access and are trying to send a message.”
Jake Moore, a global cybersecurity advisor at ESET, said this episode shows that “it is vital that companies act swiftly in a full audit [following such an attack] as it is clear that malicious actors will come back time and time again to test their new defenses.”
Exposed GitLab Configuration File
Internet Archive suffered a series of cyber-attacks over the past week, including distributed denial-of-service (DDoS) attacks, a JavaScript-based website defacement and a data breach.
The pro-Palestinian hacktivist group BlackMeta claimed the DDoS attacks, however, the data breach could come from a different threat actor.
The news site BleepingComputer said the hacker behind the Internet Archive breach contacted them and claimed they managed to get hold of an exposed GitLab configuration file on one of the organization's development servers, services-hls.dev.archive.org.
This file allegedly contained an authentication token allowing the threat actor to download source code from Internet Archive.
This source code likely contained the application programmable interface (API) access tokens for Internet Archive's Zendesk customer support system.
Ev Kontsevoy, CEO of Teleport, commented: “This attack could mean the threat actor now has access to more than 800 support tickets. While many have been critical of Internet Archive for not rotating API keys, it can be challenging in the aftermath of a breach for organizations to pick through the blast radius of an attack to prevent further exploitation.”
“An instant, at-hand view of access relationships is critical in today’s threat landscape. If you can intervene directly with the affected identities and resources, you can manage the incident without disrupting your broader user community,” he added.
Neither Internet Archive nor its founder, Brewster Kahle, have communicated about the stolen access tokens or the Zendesk-approved email.
Internet Archive and GitLab were contacted by Infosecurity but did not respond to requests for comment on this issue at the time of writing.