Internet Archive Suffers Cyberattacks, Hackers Send Emails

The Internet Archive, a well-known non-profit digital library and home to the Wayback Machine, has recently been the target of multiple cyberattacks, leading to significant service disruptions for users.

In a new development, the organization suffered a breach on its Zendesk email support platform. This breach occurred after repeated alerts regarding the theft of exposed GitLab authentication tokens by malicious actors, as reported by BleepingComputer (BC).

On Sunday morning, The Verge reported receiving an email from “The Internet Archive Team” in response to a query they sent on October 9.

However, it appears that this email was not sent by the official support team but was rather authored by the hackers who had previously compromised the site, suggesting that they still retain access to the organization’s systems.

Users on the Internet Archive subreddit have also reported receiving similar replies, adding to concerns about security.

BC also reported receiving numerous messages from users who were alerted about the breach through replies to their old removal requests. Many of these notifications warned that the Internet Archive had not effectively rotated the stolen authentication tokens.

One email from the hacker to BC expressed disappointment, stating, “It’s dispiriting to see that even after being made aware of the breach weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets.”

Last week, hackers breached the Internet Archive, leaking sensitive information belonging to millions of users and defacing the site with a message mocking the organization for operating on a limited budget, noted The Washington Post.

To mitigate further leaks, the Internet Archive’s team decided to take down the site, including the widely used Wayback Machine, as noted by The Post.

Founder Brewster Kahle revealed that this was the first time in nearly 30 years that the site experienced an outage lasting more than a few hours, noted The Post.

BC claims that it had previously reported that the Internet Archive experienced simultaneous attacks the previous week: a data breach affecting the user data of 33 million accounts and a Distributed Denial of Service (DDoS) attack orchestrated by a group called SN_BlackMeta.

Although both incidents occurred during the same timeframe, they were executed by different threat actors. Many news outlets erroneously attributed the data breach to SN_BlackMeta, conflating the two attacks, noted BC.

This misrepresentation frustrated the actual perpetrator of the data breach, prompting them to reach out to BC. They claimed responsibility for the breach and provided details on how they infiltrated the Internet Archive.

According to the attackers, the breach originated from discovering an exposed GitLab configuration file on one of the organization’s development servers. BC confirmed that this token had been publicly available since at least December 2022, having been rotated multiple times since.

The hackers claimed that this GitLab configuration file contained an authentication token that enabled them to download the Internet Archive’s source code, which in turn included further credentials and authentication tokens, including those for the organization’s database management system.

This access allowed them to download the user database, additional source code, and even modify the site. They asserted that they stole 7TB of data from the Internet Archive but did not provide samples as proof,as reported by BC.

It has now been confirmed that the stolen data also included API access tokens for the Internet Archive’s Zendesk support system. BC said that attempted to contact the Internet Archive multiple times, most recently on Friday, to discuss the breach and its implications, but received no response.

According to The Verge, the Internet Archive team is working around the clock across time zones to restore services. In a blog post dated October 17, Kahle indicated that the site anticipates returning more services in the “coming days,” although initially in read-only mode as full restoration may take additional time.

The reasons behind the recent cyberattacks on the site remain unclear, says The Verge. Forbes suggests that the motivation behind these breaches seems to be reputational rather than financial.

The Post noted that the Internet Archive has faced legal challenges in the past, including lawsuits from book publishers and music labels over digitizing copyrighted material, which the organization maintains is permissible for non-commercial archival purposes.

The Post reports that Kahle warned that the potential penalties from these lawsuits, which could amount to hundreds of millions of dollars, pose a significant threat to the Internet Archive’s survival.

While these lawsuits are ongoing, the Internet Archive now faces the dual challenge of managing legal disputes and countering cyber threats.

The organization previously experienced a DDoS attack in May, leading to intermittent outages. Kahle mentioned to The Post that this was the first instance of the site being targeted in its history.