At the end of this article, you will find explanations of the key technical terms used, such as DDoS attacks, access tokens, and phishing to help clarify the details of the breaches.
The Internet Archive has confirmed a third security breach on October 20, 2024, in what has become a series of escalating cyberattacks. Hackers were able to exploit unrotated Zendesk API tokens to gain access to the platform that manages the Archive's support tickets.
Despite previous warnings and multiple breaches earlier this month, the organization had not or were unable to secure the system adequately, leaving the tokens vulnerable to continued exploitation. The attackers were still able to access and potentially download sensitive support data, including personal identification documents submitted by users.
This breach follows two major attacks earlier in October, which have compounded the damage to the Archive's infrastructure.
The Internet Archive is a nonprofit digital library that was established in 1996 by Brewster Kahle with the goal of providing "universal access to all knowledge." It is widely known for its Wayback Machine, which archives websites and allows users to view them as they appeared in the past, making it a valuable resource for historians, researchers, and the general public.
Beyond websites, the Archive hosts millions of digital items, including books, music, audio files, videos, and software. This vast collection preserves cultural and historical materials that might otherwise be lost. The organization operates primarily on donations and has played an essential role in maintaining digital history.
The first breach occurred on October 9, 2024, involving a dual attack -- a data breach and a Distributed Denial of Service (DDoS) attack. Hackers took advantage of a previously exposed GitLab token, which had been vulnerable since late 2022, to access the Internet Archive's source code and steal user data. This breach affected 31 million users, exposing Bcrypt-hashed passwords, email addresses, and other sensitive information.
Simultaneously, a pro-Palestinian group called SN_BlackMeta launched a DDoS attack that overwhelmed the Archive's servers with traffic, temporarily taking the site offline. Although these attacks happened at the same time, the data breach and the DDoS attack were conducted by different groups.
In mid-October 2024, the second breach occurred when hackers once again exploited unrotated access tokens, this time gaining unauthorized access to the Internet Archive's Zendesk support platform. These tokens, which act as digital keys, were supposed to have been secured after earlier warnings but remained exposed.
The attackers accessed thousands of support tickets dating back to 2018, which may have included personal identification documents. This breach exposed a critical flaw in the Archive's security practices, particularly its failure to rotate API tokens regularly.
This most recent breach occurred when hackers continued to exploit unrotated Zendesk API tokens. These tokens, essentially digital keys, had been exposed in previous attacks, but the Internet Archive failed to rotate or replace them.
This allowed attackers to maintain access to the Archive's Zendesk support platform, where sensitive user support tickets were stored. Some of these tickets contained personal identification documents submitted by users requesting the removal of content from the Archive's services.
This third breach can be traced directly back to vulnerabilities exploited during the first two breaches:
First Breach: October 9, 2024
The first major breach saw hackers taking advantage of a GitLab token that had been left exposed since late 2022. This token allowed the attackers to access the Archive's source code and steal sensitive data, affecting 31 million users. Simultaneously, a DDoS attack by a separate group, SN_BlackMeta, disrupted the site. While this attack primarily targeted the Archive's user data and source code, it highlighted significant weaknesses in the Archive's security practices, including token management.
Second Breach: Mid-October 2024
In the second breach, hackers shifted their focus to the Internet Archive's Zendesk support platform, where they exploited unrotated access tokens. These tokens, which should have been updated following the initial breach, granted unauthorized access to support tickets containing sensitive personal data from users.
Third Breach: October 20, 2024
The third breach is a direct consequence of the same root problem that led to the first and second attacks: the failure to properly manage and rotate access tokens. This allowed the attackers to repeatedly exploit the same vulnerabilities and maintain access to sensitive areas of the Internet Archive's systems. Each subsequent attack built upon the gaps left unresolved by the previous breach, compounding the damage.
The motivation behind these breaches appears to be reputational rather than financial. In underground hacker communities, attackers often seek "cyber street cred" by breaching well-known organizations and leaking large amounts of data.
The Internet Archive, being a significant well-known repository of digital information, was a prime target for hackers looking to build their reputations. Although no ransom demands were made, the stolen data poses risks for phishing attempts and identity theft.
At the time of publishing, I have been unable to contact the Internet Archive for comment, but the official X account posted the following on October 19:
The phrase "I stand with @internetarchive" has been circulating on X (formerly known as Twitter) as a show of support for the Internet Archive in light of its recent cyberattacks.
By tweeting "I stand with @internetarchive," individuals are expressing solidarity with the Archive's mission to provide free access to knowledge and preserve the digital record of the internet. The phrase has become a sort of rallying cry for users, researchers, and digital rights advocates who believe in the importance of the Archive's work for future generations.
According to their website, "The Internet Archive (archive.org) is a 501(c)(3) non-profit that was founded to build an Internet library, with the purpose of offering permanent access for researchers, historians, and scholars to historical collections that exist in digital format. Founded in 1996, the Internet Archive has an historical web collection (the Wayback Machine) of over 150 billion web pages, about 240,000 movies, over 500,000 audio items (including over 70,000 live concerts), over 1,800,000 texts, 1600 education items, and over 30,000 software items. And we're growing bigger every day!"
For information on how to donate to the Internet Archive, they have a page explaining exactly how to do that.