Oct 21, 2024 10:40:00

Hacked Internet Archive email accounts were used to send users a message saying 'your data has already been given to another third party'

Internet Archive , which operates the Wayback Machine , was hacked on October 9, 2024, and it has been reported that more than 31 million user data was leaked. In addition, the hacker claims to have stolen Zendesk tokens that users use to access support tickets, and has been sending messages to users who have previously requested support, posing as Internet Archive email accounts.

Internet Archive breached again through stolen access tokens
https://www.bleepingcomputer.com/news/security/internet-archive-breached-again-through-stolen-access-tokens/

The Internet Archive hackers still have access to its internal emailing tools - The Verge

https://www.theverge.com/2024/10/20/24274826/internet-archive-hackers-replying-zendesk-tickets

The cyber attack against the Internet Archive that occurred on October 9, 2024, began when a GitLab configuration file containing an authentication code for downloading the Internet Archive's source code was made public on a development server. According to overseas media BleepingComputer, this configuration file has been publicly available since at least December 2022, and as a result of the hacker stealing the configuration file, malicious actors can not only download the Internet Archive's user database, but also add their own source code and modify the site.

The attack resulted in a considerable amount of user data being leaked, and

Have I Been Pwned?, a service that allows users to check whether their personal information has been leaked, stated that '31 million records were compromised at the Internet Archive, including email addresses, names, and bcrypt-hashed passwords. 54% is already on Have I Been Pwned?'

Internet Archive hacked, 31 million user data leaked - GIGAZINE

The stolen data also included API access tokens for the Zendesk support system, which issues tickets required for users to request support from the Internet Archive. The hackers used the email account of the Internet Archive's support team to send a message to users who had previously requested support from the Internet Archive, claiming that 'The data we obtained this time includes a Zendesk token with the authority to access more than 800,000 support tickets sent to '[email protected]' since 2018. Whether you were trying to ask the Internet Archive a general question or requesting the removal of your site from the Wayback Machine, your data has already been given to another third party.'

According to BleepingComputer, the message passed all authentication checks, including DKIM, DMARC, and SPF, proving it was sent from an authorized Zendesk server at 192.161.151.10.

Brewster Kahle, founder of the Internet Archive, said, 'We are working around the clock to improve the security of our site and are committed to reopening a more secure Internet Archive. Many services will resume in the coming days, but full restoration will take time. We are taking a measured approach to rebuilding and strengthening our defenses. Our top priority is ensuring that the Internet Archive comes online stronger and more secure.'