Another breach of Internet Archive - this time through stolen access tokens

The Internet Archive is facing multiple security breaches, significantly impacting its operations and user data. In early October 2024, the organization experienced a substantial data breach, exposing the personal information of approximately 31 million users. The compromised data included email addresses, usernames, and bcrypt-hashed passwords

Concurrently, the Internet Archive was subjected to a series of Distributed Denial-of-Service (DDoS) attacks, which disrupted its services, including the Wayback Machine, rendering them temporarily unavailable

In the latest breach, threat actors have exploited stolen GitLab authentication tokens to breach the Internet Archive's Zendesk email support platform. This unauthorized access enabled the attackers to send emails to users, posing as the organization's support team. These emails passed all DKIM, DMARC, and SPF authentication checks, indicating they were sent from an authorized Zendesk server.

The attackers have criticized the Internet Archive for not rotating the exposed API keys, which could have mitigated the risk of such unauthorized access. They claim that the organization was made aware of the breach weeks prior but had not taken adequate steps to secure the compromised tokens.

The previous breach exposed .git/config file with authentication tokens. A threat actor found an exposed GitLab configuration file on a development server (services-hls.dev.archive.org), with the token reportedly exposed since at least December 2022 and rotated multiple times since then.

Users who have interacted with the Internet Archive, especially those who have submitted support tickets or provided personal information, should remain very suspicious of emails from the Internet Archive and rotate all passwords - particularly if they are reused across multiple platforms.