Internet Archive Hit by Third Cyberattack in October 2024

Internet Archive Hit by Third Cyberattack in October 2024

In a continued wave of cyberattacks, the Internet Archive confirmed its third breach on October 20, 2024. Hackers managed to exploit unrotated Zendesk API tokens, granting them access to the Archive’s support platform. This breach follows two other major incidents earlier this month, indicating escalating vulnerabilities in the Archive’s systems.

Background of the Breaches

The Internet Archive, a nonprofit digital library established in 1996 by Brewster Kahle, is widely known for its mission to provide “universal access to all knowledge.” Its Wayback Machine is a well-regarded tool that archives websites, allowing users to view them as they appeared in the past, making it an invaluable resource for researchers, historians, and the general public. Beyond websites, the Archive hosts millions of digital items, including books, music, audio files, videos, and software, preserving historical and cultural materials. This massive repository has become an essential tool for maintaining the digital history of the internet.

Despite its noble purpose, the organization has been under siege in recent weeks. These attacks have drawn attention to severe security gaps, most notably token management failures. The first breach occurred on October 9, 2024, when hackers exploited a GitLab token, which had been vulnerable since late 2022, exposing the personal data of 31 million users. This breach also included a simultaneous Distributed Denial of Service (DDoS) attack carried out by the group SN_BlackMeta, which temporarily brought down the Archive’s servers. Although these were separate attacks, their concurrent timing overwhelmed the Archive’s infrastructure.

Second Breach in Mid-October

Following the initial breach, another attack occurred in mid-October. This time, hackers accessed the Archive’s Zendesk support platform by exploiting unrotated API tokens—digital keys used for system access. Despite previous warnings, these tokens had not been properly secured. As a result, the attackers gained access to thousands of support tickets, some of which dated back to 2018, potentially containing sensitive personal identification documents submitted by users. This second breach highlighted critical security flaws, particularly the Archive’s failure to regularly rotate or update access tokens, leaving its systems vulnerable.

The Third Breach: October 20, 2024

The third and most recent breach on October 20, 2024, followed a similar pattern, with hackers continuing to exploit the same Zendesk API tokens that had been exposed during the previous attacks. The Internet Archive had failed to rotate or secure these tokens despite earlier breaches and warnings. Consequently, the attackers maintained access to the Zendesk support platform, which stores sensitive user data, including personal identification documents. Many of these documents were submitted by users requesting content removal from the Archive’s services, exacerbating the severity of the breach.

Links Between the Breaches

Each breach this month has been connected by the Archive’s failure to address token vulnerabilities, which left critical systems exposed. The first breach on October 9, which involved a GitLab token left unprotected since 2022, opened the door for attackers to steal source code and user data. At the same time, the Archive was hit by a DDoS attack from SN_BlackMeta, which took the site offline, drawing attention to significant weaknesses in the Archive’s cybersecurity.

The second breach in mid-October shifted the focus to the Internet Archive’s Zendesk support platform, where hackers took advantage of unrotated API tokens. Despite warnings after the first attack, these tokens remained unchanged, allowing unauthorized access to user data. This second incident underscored the lack of proactive measures taken by the Archive to protect its systems.

Finally, the third breach on October 20 was the result of the same failure to rotate access tokens. The fact that these tokens remained vulnerable after two previous breaches is indicative of a broader failure in the Archive’s security protocols. Each breach has compounded the damage caused to the organization, building on unresolved vulnerabilities and creating a cycle of ongoing exposure.

Why Is the Internet Archive Being Targeted?

The series of breaches targeting the Internet Archive appears to be motivated by reputational rather than financial gain. In underground hacker communities, attackers often aim to build their “cyber street cred” by breaching prominent organizations and leaking data. As a widely recognized and significant repository of digital information, the Internet Archive became an ideal target for attackers seeking recognition.

While no ransom demands have been made following these breaches, the stolen data presents risks for phishing attacks and identity theft. The compromised personal identification documents submitted by users, including those requesting content removal, are of particular concern due to their sensitive nature.

Public Response and Impact

Following these attacks, the phrase “I stand with @internetarchive” began circulating on social media, particularly on X (formerly Twitter), as a show of support for the Archive. This phrase has become a rallying cry for individuals who support the Archive’s mission to provide free access to knowledge and preserve the internet’s digital history. Researchers, digital rights advocates, and members of the public have voiced their solidarity, emphasizing the importance of the Archive’s work for future generations.

The Internet Archive remains a critical resource for preserving digital history, but these recent attacks raise serious questions about its cybersecurity practices. The breaches serve as a reminder that even organizations with altruistic goals must prioritize security to protect the sensitive data of their users.

 

What’s Next for the Internet Archive?


As the breaches continue to escalate, the Internet Archive must take swift and decisive action to secure its systems. Rotating API tokens, implementing stricter access controls, and conducting regular security audits are essential steps the Archive must take to prevent further breaches. With attackers continually exploiting the same vulnerabilities, the organization faces mounting pressure to address these issues before more damage is done.

For those wishing to support the Internet Archive during this difficult time, the organization’s website provides information on how to donate to help fund its efforts to preserve digital history and improve its security infrastructure.
Back to blog