An illicit JavaScript pop-up on the Internet Archive proclaimed on Wednesday afternoon that the site had suffered a major data breach. Hours later, the organization confirmed the incident.
Longtime security researcher Troy Hunt, who runs the data-breach-notification website Have I Been Pwned (HIBP) also confirmed that the breach is legitimate. He said it occurred in September and that the stolen trove contains 31 million unique email addresses along with usernames, bcrypt password hashes, and other system data. Bleeping Computer, which first reported the breach, also confirmed the validity of the data.
“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach?” the attackers wrote in Wednesday's Internet Archive pop-up message. “It just happened. See 31 million of you on HIBP!”
In addition to the breach and site defacement, the Internet Archive has been grappling with a wave of distributed denial-of-service attacks that have intermittently brought down its services.
“The Internet Archive’ services have been taken offline to recover from ongoing intermittent DDoS attacks,” Internet Archive founder Brewster Kahle told WIRED on Thursday. He added that he will provide further updates through his X account.
Kahle provided a public update on Wednesday evening in a post on X. “What we know: DDOS attack—fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords. What we’ve done: Disabled the JS library, scrubbing systems, upgrading security. Will share more as we know it.” “Scrubbing systems” refer to services that offer DDoS attack protection by filtering malicious junk traffic so it can't deluge and disrupt a website.
The Internet Archive has faced aggressive DDoS attacks numerous times in the past, including in late May. As Kahle wrote on Wednesday: “Yesterday's DDoS attack on @internetarchive repeated today. We are working to bring http://archive.org back online.” The hacktivist group known as BlackMeta claimed responsibility for this week's DDoS attacks and said it plans to carry out more against the Internet Archive. Still, the perpetrator of the data breach is not yet known.
The Internet Archive has faced battles on many fronts in recent months. In addition to repeated DDoS attacks, the organization is also facing mounting legal challenges. It recently lost an appeal in Hachette v. Internet Archive, a lawsuit brought by book publishers, which argued that its digital lending library violated copyright law. Now it’s facing an existential threat in the form of another copyright lawsuit, this one from music labels, which may result in damages upwards of $621 million if the court rules against the archive.
HIBP's Hunt says that he first received the stolen Internet Archive data on September 30, reviewed it on October 5, and warned the organization about it on October 6. He says the group confirmed the breach to him the next day and that he planned to load the data into HIBP and notify its subscribers about the breach on Wednesday. “They get defaced and DDoS'd, right as the data is loading into HIBP,” Hunt wrote. “The timing on the last point seems to be entirely coincidental.”
Hunt added, too, that while he encouraged the group to publicly disclose the data breach itself before the HIBP notifications went out, the extenuating circumstances may explain the delay.
“Obviously I would have liked to see that disclosure much earlier, but understanding how under attack they are, I think everyone should cut them some slack,” Hunt wrote. “They're a nonprofit doing great work and providing a service that so many of us rely heavily on.”
Update 2:30 pm ET, October 10, 2024: Added comment from Internet Archive founder Brewster Kahle.
The Internet Archive was breached again, this time on their Zendesk email support platform after repeated warnings that threat actors stole exposed GitLab authentication tokens.
Since last night, BleepingComputer has received numerous messages from people who received replies to their old Internet Archive removal requests, warning that the organization has been breached as they did not correctly rotate their stolen authentication tokens.
"It's dispiriting to see that even after being made aware of the breach weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets," reads an email from the threat actor.
"As demonstrated by this message, this includes a Zendesk token with perms to access 800K+ support tickets sent to info@archive.org since 2018."
"Whether you were trying to ask a general question, or requesting the removal of your site from the Wayback Machine your data is now in the hands of some random guy. If not me, it'd be someone else."
Source: BleepingComputer
The email headers in these emails also pass all DKIM, DMARC, and SPF authentication checks, proving they were sent by an authorized Zendesk server at 192.161.151.10.
Source: BleepingComputer
After publishing this story, BleepingComputer was told by a recipient of these emails that they had to upload personal identification when requesting a removal of a page from the Wayback Machine.
The threat actor may now also have access to these attachments depending on the API access they had to Zendesk and if they used it to download support tickets.
These emails come after BleepingComputer repeatedly tried to warn the Internet Archive that their source code was stolen through a GitLab authentication token that was exposed online for almost two years.
Exposed GitLab authentication tokens
On October 9th, BleepingComputer reported that Internet Archive was hit by two different attacks at once last week—a data breach where the site's user data for 33 million users was stolen and a DDoS attack by an alleged pro-Palestinian group named SN_BlackMeta.
While both attacks occurred over the same period, they were conducted by different threat actors. However, many outlets incorrectly reported that SN_BlackMeta was behind the breach rather than just the DDoS attacks.
Source: BleepingComputer
This misreporting frustrated the threat actor behind the actual data breach, who contacted BleepingComputer through an intermediary to claim credit for the attack and explain how they breached the Internet Archive.
The threat actor told BleepingComputer that the initial breach of Internet Archive started with them finding an exposed GitLab configuration file on one of the organization's development servers, services-hls.dev.archive.org.
BleepingComputer was able to confirm that this token has been exposed since at least December 2022, with it rotating multiple times since then.
Source: BleepingComputer
The threat actor says this GitLab configuration file contained an authentication token allowing them to download the Internet Archive source code.
The hacker says that this source code contained additional credentials and authentication tokens, including the credentials to Internet Archive's database management system. This allowed the threat actor to download the organization's user database, further source code, and modify the site.
The threat actor claimed to have stolen 7TB of data from the Internet Archive but would not share any samples as proof.
However, now we know that the stolen data also included the API access tokens for Internet Archive's Zendesk support system.
BleepingComputer attempted to contact the Internet Archive numerous times, as recently as on Friday, offering to share what we knew about how the breach occurred and why it was done, but we never received a response.
Breached for cyber street cred
After the Internet Archive was breached, conspiracy theories abounded about why they were attacked.
Some said Israel did it, the United States government, or corporations in their ongoing battle with the Internet Archive over copyright infringement.
However, the Internet Archive was not breached for political or monetary reasons but simply because the threat actor could.
There is a large community of people who traffic in stolen data, whether they do it for money by extorting the victim, selling it to other threat actors, or simply because they are collectors of data breaches.
This data is often released for free to gain cyber street cred, increasing their reputation among other threat actors in this community as they all compete for who has the most significant and most publicized attacks.
In the case of the Internet Archive, there was no money to be made by trying to extort the organization. However, as a well-known and extremely popular website, it definitely boosted a person's reputation amongst this community.
While no one has publicly claimed this breach, BleepingComputer was told it was done while the threat actor was in a group chat with others, with many receiving some of the stolen data.
This database is now likely being traded amongst other people in the data breach community, and we will likely see it leaked for free in the future on hacking forums like Breached.
Update 10/20/24: Added information about how some people had to upload personal IDs when requesting removal from Internet Archive.