It’s been a rough few weeks for digital library The Internet Archive, after a number of Distributed Denial-of-Service (DDoS) attacks took the service offline and gave hackers access to the data of as many as 31 million users.
Initially, the stolen data would include email addresses, screen names and Bcrypt passwords. However, now there appears to be some confirmation that email addresses associated with Internet Archive support tickets have been stolen for good.
Numerous Internet Archive users have shared their experience of receiving responses to the support email info@archive.org that appear to have been sent by one of those responsible for the attack, who still retains some degree of control has about Internet Archive systems.
API keys are not rotated
Received an email by The edge from the Internet Archive stated:
“It is disheartening to see that even after being notified of the breach two weeks ago, IA still has not done the due diligence to rotate many of the API keys exposed in their Gitlab secrets.
As this post shows, this includes a Zendesk token with permissions to access over 800,000 support tickets sent to info@archive.org since 2018.
Whether you wanted to ask a general question or request your site’s removal from the Wayback Machine, your information is now in the hands of a random person. If it wasn’t me, it would be someone else.
I hope they get their affairs in order now.’
An API (Application Programming Interface) key is a token used to authenticate an application or user for access to an API. API tokens are unique and kept hidden to prevent unauthorized access, and are typically rotated to reduce the opportunity a hacker has if he compromises a key. However, according to the author of the email, the Internet Archive apparently did not follow best practices for API key security.
A blog post from Internet Archive founder Brewster Kahle posted the following on October 18: “The Internet Archive’s stored data is secure and we are working to resume services safely. This new reality requires more attention to cyber security and we are responding to this. We apologize for the impact of these library services being unavailable.”
“We are taking a cautious, measured approach to rebuilding and strengthening our defenses. Our priority is to ensure that the Internet Archive comes online stronger and more securely,” Kahle’s statement continued.
Jake Moore, Global Cybersecurity Advisor at ESET, said: “The Internet Archive has failed to replace previously stolen digital keys, leaving the platform vulnerable again to persistent attackers. Failure to clean up any exposed vulnerabilities, such as breached tokens, can lead to further problems, as we see here. Threat actors, including both the original attackers and new groups testing their (possible) new security, will continue to target a platform until a full patch is delivered and working.”
“As a result of this latest breach, attackers have been able to gain access to even more sensitive user information and once again compromised their users. This emphasizes the importance of quick responses and protocols after a cyber attack. It is critical that companies act quickly on a full audit, as it is clear that malicious actors will return again and again to test their new defenses,” said Moore.
