https://www.bleepingcomputer.com/news/security/internet-archive-breached-again-through-stolen-access-tokens/ BleepingComputer.com logo * * * * [ ] [Login] [Sign up] * * * * [ ] [Login] [Sign up] * News + Featured + Latest + ESET partner breached to send data wipers to Israeli orgs ESET partner breached to send data wipers to Israeli orgs + Cisco takes DevHub portal offline after hacker publishes stolen data Cisco takes DevHub portal offline after hacker publishes stolen data + Intel, AMD CPUs on Linux impacted by newly disclosed Spectre bypass Intel, AMD CPUs on Linux impacted by newly disclosed Spectre bypass + Microsoft warns it lost some customer's security logs for a month Microsoft warns it lost some customer's security logs for a month + Severe flaws in E2EE cloud storage platforms used by millions Severe flaws in E2EE cloud storage platforms used by millions + Internet Archive breached again through stolen access tokens Internet Archive breached again through stolen access tokens + Ditch the subscriptions--this Koofr cloud storage deal is only $120 for life Ditch the subscriptions--this Koofr cloud storage deal is only $120 for life + Microsoft creates fake Azure tenants to pull phishers into honeypots Microsoft creates fake Azure tenants to pull phishers into honeypots * Tutorials + Latest + Popular + How to access the Dark Web using the Tor Browser How to access the Dark Web using the Tor Browser + How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 + How to use the Windows Registry Editor How to use the Windows Registry Editor + How to backup and restore the Windows Registry How to backup and restore the Windows Registry + How to start Windows in Safe Mode How to start Windows in Safe Mode + How to remove a Trojan, Virus, Worm, or other Malware How to remove a Trojan, Virus, Worm, or other Malware + How to show hidden files in Windows 7 How to show hidden files in Windows 7 + How to see hidden files in Windows How to see hidden files in Windows * Virus Removal Guides + Latest + Most Viewed + Ransomware + Remove the Theonlinesearch.com Search Redirect Remove the Theonlinesearch.com Search Redirect + Remove the Smartwebfinder.com Search Redirect Remove the Smartwebfinder.com Search Redirect + How to remove the PBlock+ adware browser extension How to remove the PBlock+ adware browser extension + Remove the Toksearches.xyz Search Redirect Remove the Toksearches.xyz Search Redirect + Remove Security Tool and SecurityTool (Uninstall Guide) Remove Security Tool and SecurityTool (Uninstall Guide) + How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo + How to remove Antivirus 2009 (Uninstall Instructions) How to remove Antivirus 2009 (Uninstall Instructions) + How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller + Locky Ransomware Information, Help Guide, and FAQ Locky Ransomware Information, Help Guide, and FAQ + CryptoLocker Ransomware Information Guide and FAQ CryptoLocker Ransomware Information Guide and FAQ + CryptorBit and HowDecrypt Information Guide and FAQ CryptorBit and HowDecrypt Information Guide and FAQ + CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ * Downloads + Latest + Most Downloaded + Qualys BrowserCheck Qualys BrowserCheck + STOPDecrypter STOPDecrypter + AuroraDecrypter AuroraDecrypter + FilesLockerDecrypter FilesLockerDecrypter + AdwCleaner AdwCleaner + ComboFix ComboFix + RKill RKill + Junkware Removal Tool Junkware Removal Tool * Deals + Categories + eLearning eLearning + IT Certification Courses IT Certification Courses + Gear & Gadgets Gear + Gadgets + Security Security * VPNs + Popular + Best VPNs Best VPNs + How to change IP address How to change IP address + Access the dark web safely Access the dark web safely + Best VPN for YouTube Best VPN for YouTube * Forums * More + Startup Database + Uninstall Database + Glossary + Chat on Discord + Send us a Tip! + Welcome Guide ThreatLocker Zero Trust World conference * Home * News * Security * Internet Archive breached again through stolen access tokens * * Internet Archive breached again through stolen access tokens By Lawrence Abrams * October 20, 2024 * 10:46 AM * 1 The Internet Archive The Internet Archive was breached again, this time on their Zendesk email support platform after repeated warnings that threat actors stole exposed GitLab authentication tokens. Since last night, BleepingComputer has received numerous messages from people who received replies to their old Internet Archive removal requests, warning that the organization has been breached as they did not correctly rotate their stolen authentication tokens. "It's dispiriting to see that even after being made aware of the breach weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets," reads an email from the threat actor. "As demonstrated by this message, this includes a Zendesk token with perms to access 800K+ support tickets sent to info@archive.org since 2018." "Whether you were trying to ask a general question, or requesting the removal of your site from the Wayback Machine your data is now in the hands of some random guy. If not me, it'd be someone else." Internet Archive Zendesk emails sent by the threat actorInternet Archive Zendesk emails sent by the threat actor Source: BleepingComputer The email headers in these emails also pass all DKIM, DMARC, and SPF authentication checks, proving they were sent by an authorized Zendesk server at 192.161.151.10. Internet Archive Zendesk email headersInternet Archive Zendesk email headers Source: BleepingComputer After publishing this story, BleepingComputer was told by a recipient of these emails that they had to upload personal identification when requesting a removal of a page from the Wayback Machine. The threat actor may now also have access to these attachments depending on the API access they had to Zendesk and if they used it to download support tickets. These emails come after BleepingComputer repeatedly tried to warn the Internet Archive that their source code was stolen through a GitLab authentication token that was exposed online for almost two years. Exposed GitLab authentication tokens On October 9th, BleepingComputer reported that Internet Archive was hit by two different attacks at once last week--a data breach where the site's user data for 33 million users was stolen and a DDoS attack by a pro-Palestinian group named SN_BlackMeta. While both attacks occurred over the same period, they were conducted by different threat actors. However, many outlets incorrectly reported that SN_BlackMeta was behind the breach rather than just the DDoS attacks. JavaScript alert on Internet Archive warning about the breach JavaScript alert on Internet Archive warning about the breach Source: BleepingComputer This misreporting frustrated the threat actor behind the actual data breach, who contacted BleepingComputer through an intermediary to claim credit for the attack and explain how they breached the Internet Archive. The threat actor told BleepingComputer that the initial breach of Internet Archive started with them finding an exposed GitLab configuration file on one of the organization's development servers, services-hls.dev.archive.org. BleepingComputer was able to confirm that this token has been exposed since at least December 2022, with it rotating multiple times since then. Exposed Internet Archive GitLab authentication tokenExposed Internet Archive GitLab authentication token Source: BleepingComputer The threat actor says this GitLab configuration file contained an authentication token allowing them to download the Internet Archive source code. The hacker say that this source code contained additional credentials and authentication tokens, including the credentials to Internet Archive's database management system. This allowed the threat actor to download the organization's user database, further source code, and modify the site. The threat actor claimed to have stolen 7TB of data from the Internet Archive but would not share any samples as proof. However, now we know that the stolen data also included the API access tokens for Internet Archive's Zendesk support system. BleepingComputer attempted contact the Internet Archive numerous times, as recently as on Friday, offering to share what we knew about how the breach occurred and why it was done, but we never received a response. Breached for cyber street cred After the Internet Archive was breached, conspiracy theories abounded about why they were attacked. Some said Israel did it, the United States government, or corporations in their ongoing battle with the Internet Archive over copyright infringement. However, the Internet Archive was not breached for political or monetary reasons but simply because the threat actor could. There is a large community of people who traffic in stolen data, whether they do it for money by extorting the victim, selling it to other threat actors, or simply because they are collectors of data breaches. This data is often released for free to gain cyber street cred, increasing their reputation among other threat actors in this community as they all compete for who has the most significant and most publicized attacks. In the case of the Internet Archive, there was no money to be made by trying to extort the organization. However, as a well-known and extremely popular website, it definitely boosted a person's reputation amongst this community. While no one has publicly claimed this breach, BleepingComputer was told it was done while the threat actor was in a group chat with others, with many receiving some of the stolen data. This database is now likely being traded amongst other people in the data breach community, and we will likely see it leaked for free in the future on hacking forums like Breached. Update 10/20/24: Added information about how some people had to upload personal IDs when requesting removal from Internet Archive. Related Articles: Internet Archive hacked, data breach impacts 31 million users Cisco takes DevHub portal offline after hacker publishes stolen data Tech giant Nidec confirms data breach following ransomware attack BianLian ransomware claims attack on Boston Children's Health Physicians Hackers blackmail Globe Life after stealing customer data * Access Token * Authentication Tokens * Data Breach * GitLab * Internet Archive * Zendesk * * * * * Lawrence Abrams Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. * Previous Article * Next Article Comments * notsahil Photo notsahil - 5 hours ago + + Hello, just curious which software is the screenshot from that captioned: "Exposed Internet Archive GitLab authentication token" Thank You! Post a Comment Community Rules You need to login in order to post a comment [Login] Not a member yet? Register Now You may also like: [INS::INS] Popular Stories * Microsoft Microsoft warns it lost some customer's security logs for a month * Microsoft Microsoft creates fake Azure tenants to pull phishers into honeypots * ESET ESET partner breached to send data wipers to Israeli orgs Sponsor Posts * Protecting against password attacks * Hybrid Analysis Bolstered by Criminal IP's Comprehensive Domain Intelligence * How to leverage $200 million FCC program boosting K-12 cybersecurity * Automate all things security in the Blink of AI * How open source SIEM and XDR tackle evolving threats Follow us: * * * * * Main Sections * News * VPN Buyer Guides * SysAdmin Software Guides * Downloads * Virus Removal Guides * Tutorials * Startup Database * Uninstall Database * Glossary Community * Forums * Forum Rules * Chat Useful Resources * Welcome Guide * Sitemap Company * About BleepingComputer * Contact Us * Send us a Tip! * Advertising * Write for BleepingComputer * Social & Feeds * Changelog Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2024 Bleeping Computer^(r) LLC - All Rights Reserved Login Username [ ] Password [ ] [*] Remember Me [ ] Sign in anonymously [Login] Sign in with Twitter button Sign in with Twitter --------------------------------------------------------------------- Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? * ( )Spam * ( )Abusive or Harmful * ( )Inappropriate content * ( )Strong language * ( )Other [ ] * [ ] Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT