Internet Archive Faces Repeated Cybersecurity Challenges Amid Major Breaches
In October 2024, the Internet Archive, a non-profit organization founded by Brewster Kahle to safeguard the digital history of the internet, encountered significant security setbacks resulting in multiple data breaches. The first incident, occurring on October 9, involved both a data breach and a Distributed Denial-of-Service (DDoS) attack, which were promptly reported by cybersecurity outlets. This dual assault laid bare the organization’s vulnerabilities while exposing sensitive user information.
The breach became apparent when hackers displayed a message on the Internet Archive’s website, mocking its security shortcomings and announcing the exfiltration of data on a platform recognized for tracking compromised accounts, “Have I Been Pwned?” It was later uncovered that the attackers had exploited a GitLab token, compromising the Archive’s source code and affecting around 31 million user accounts. As a result, critical data, including Bcrypt-hashed passwords and email addresses, was divulged.
Concurrently, a pro-Palestinian group identified as SN_BlackMeta initiated another DDoS attack around the same period, temporarily rendering the site inoperable. This operation impacted not only the Internet Archive but also its Wayback Machine feature, an invaluable tool that catalogs billions of web pages. While these two attacks occurred simultaneously, indications suggest they were executed by different attackers.
On October 18, Kahle provided an update, assuring the public that stored data remained secure and that services such as the Wayback Machine and Archive-It had resumed. He noted that the organization was adopting a methodical approach to bolster its defenses against future threats. Despite these reassurances, the Internet Archive faced yet another breach just two days later. Hackers were able to gain access to the support platform via unrotated Zendesk API tokens, revealing a cache of support tickets dating back to 2018. This breach raised immediate concerns about the security practices of the Archive, particularly the organization’s failure to regularly rotate access tokens, which is a fundamental aspect of maintaining data integrity.
The situation was further complicated by reports from malware analysts indicating that users of the Internet Archive had received suspicious emails, suggesting the attackers had established ongoing access to the organization’s systems and were attempting to assert their presence.
The cumulative incidents represent a serious threat not just to data security but also to the reputation of the Internet Archive. Although motives behind these attacks appear to be more reputational than financially driven, the potential for phishing scams, identity theft, and other malicious activities looms large given the nature of the stolen information.
The Internet Archive has not issued a public statement regarding the breaches that occurred after the initial assurances. However, these series of attacks underscore the urgent need for enhanced cybersecurity protocols within organizations managing critical historical data. The breaches offer a stark reminder of the importance of regular security audits, stringent coding practices, and quick remedial actions in the face of identified vulnerabilities.
Applying the MITRE ATT&CK framework, these incidents potentially align with several tactics and techniques: initial access may have been gained through legitimate credentials compromised in the initial attack; persistence tactics could be evident in the ongoing access reported by users; and privilege escalation might have occurred during the second breach due to the exploitation of unrotated API tokens.
As the Internet Archive works to restore confidence and improve its defenses, the situation serves as a critical lesson for organizations regarding the safeguarding of user data and the need for robust cybersecurity infrastructures.
