The Internet Archive has been the victim of a significant data breach, notably compromising its Zendesk email support platform. Following persistent warnings that exposed GitLab authentication tokens had been exploited, threat actors gained unauthorized access to sensitive data. Reports from various users surfaced last night as they began receiving notifications about earlier removal requests to the organization, which now indicated the breach had occurred due to inadequate security measures regarding token rotation.
“It’s disheartening to note that despite being alerted about the breach weeks ago, the Internet Archive failed to adequately rotate many of its API keys exposed in GitLab,” a threat actor commented in correspondence shared with BleepingComputer. This email highlighted a specific Zendesk token, which enabled access to over 800,000 support tickets that have been sent to the organization since 2018.
Documents revealed that the threat actor’s messages passed all DKIM, DMARC, and SPF authentication checks, reflecting they were sent from a certified Zendesk server. This authenticity reinforces concerns regarding the organization’s response to the breach, especially given the potential access to personal information embedded in support requests. Recipients noted that personal identification was required to process removal requests from the Wayback Machine, raising additional privacy considerations regarding the data now possibly in the hands of unauthorized individuals.
The Internet Archive had previously been alerted about its source code exposure through a GitLab token discovered on a development server, a vulnerability that had persisted since at least December 2022. The breach shows a clear lapse in security practices within the organization regarding sensitive credentials. The threat actor indicated that this token was a gateway to not only source code but also broader credentials, allowing unauthorized entry into the organization’s databases and associated resources.
Cybersecurity sources confirmed that the incident was part of a broader assault on the Internet Archive, which included both a data breach affecting 33 million user records and a concurrent DDoS attack by a group identified as SN_BlackMeta. However, it is critical to distinguish between these actions, as they were perpetrated by different parties, with the latter gaining attention for Banner and the Internet Archive breach obscuring the gravity of the original data exposure.
In addition to exposing user data and code, the breach has implications of heightened risk, particularly regarding the possibility of further data dissemination among cybercriminals. Victims of the incident face the unsettling reality that their previously shared personal information could now circulate within underground networks. This breach highlights the potential for attackers to utilize initial access and privilege escalation tactics under the MITRE ATT&CK framework, whereby compromised tokens provided significant leverage for attackers.
While many theories surrounding the breach have circulated, motivations appear to stem less from financial gain or geopolitical objectives and more from establishing a reputation within cybercrime circles. The act of breaching the Internet Archive serves to enhance the credibility of the attackers among peers in the cybercriminal community, reflecting a chilling aspect of modern cyber threats that emphasize notoriety over profit.
BleepingComputer has attempted to engage with the Internet Archive for insight and context regarding the breach but received no responses. As the situation unfolds, stakeholders across various sectors should remain cautious and prioritize robust security practices, especially regarding access credentials and personal data protection.