The Internet Archive hit with a new level of cyberattack

Internet Archive
(Image credit: Future)

It's been a rocky few weeks for digital library The Internet Archive, following a number of distributed-denial-of-service (DDoS) attacks which left the service offline and allowed hackers to access the data of up to 31 million users.

The stolen data was initially said to include email addresses, screen names, and Bcrypt passwords. Now, however, there seems to be some confirmation that email addresses relating to Internet Archive support tickets have definitely been stolen.

Numerous Internet Archive users have shared their experience of receiving replies from the info@archive.org support email that appear to have been sent by one of those responsible for the attack, who still maintains some level of control over Internet Archive systems.

API keys not rotated

An email received by The Verge from the Internet Archive stated:


“It’s dispiriting to see that even after being made aware of the breach 2 weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets.

As demonstrated by this message, this includes a Zendesk token with perms to access 800K+ support tickets sent to info@archive.org since 2018.

Whether you were trying to ask a general question, or requesting the removal of your site from the Wayback Machine—your data is now in the hands of some random guy. If not me, it’d be someone else.

Here’s hoping that they’ll get their shit together now.”


An application programming interface (API) key is a token used to authenticate an application or user to access an API. API tokens are unique and kept hidden to prevent unauthorized access, and typically rotated to mitigate the window of opportunity presented to a hacker who compromises a key. However, according to the author of the email, the Internet Archive apparently did not follow the best practices for API key security.

A blog post from Internet Archive founder Brewster Kahle published on October 18 said that “The stored data of the Internet Archive is safe and we are working on resuming services safely. This new reality requires heightened attention to cyber security and we are responding. We apologize for the impact of these library services being unavailable.”

“We’re taking a cautious, deliberate approach to rebuild and strengthen our defenses. Our priority is ensuring the Internet Archive comes online stronger and more secure,” Kahle’s statement continued.

Jake Moore, Global Cybersecurity Advisor, ESET, said, “The Internet Archive failed to replace the previously stolen digital keys which has left the platform vulnerable once again to persistent attackers. Failure to clean up any exposed vulnerabilities, such as breached tokens, can lead to further problems like what we are witnessing here. Threats actors, including both the original attackers and new groups testing their (if any) new security, will continue to target a platform until a full patch is delivered and working.”

“As a result of this latest breach, attackers were able to gain access to even more sensitive user information and once again have put their users at risk. This highlights the importance of quick reactions and protocol following a cyberattack. It is vital that companies act swiftly in a full audit as it is clear that malicious actors will come back time and time again to test their new defences,” Moore said.

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
Shadowed hands on a digital background reaching for a login prompt.
Private API keys and passwords found in AI training dataset - nearly 12,000 details leaked
SearchGPT OpenAI
Hackers offer 20 million OpenAI credentials for sale, but it says there's no evidence of a breach
Password
Millions of airline customers possibly affected by OAuth security flaw
A person with a laptop using a credit card online.
Avery label maker confirms attack on its site, customer credit card info stolen
Someone holding a passport with two boarding passes inside it
Top digital loan firm security slip-up puts data of 36 million users at risk
An abstract image of padlocks overlaying a digital background.
BeyondTrust says hackers hit its remote support products
Latest in Pro
Teams on iPhone and Mac
Microsoft Teams has a whole new way for you to talk to (or annoy) your co-workers
person at a computer
Many workers are overconfident at spotting phishing attacks
AI tools.
Laying the foundations for successful GenAI adoption
A person in a wheelchair working at a computer.
Why betting on Mac security could put your organization at risk
Zorin OS 17 main image
I tried the latest version of Zorin OS - here's what I thought of this Linux distro
WatchGuard Firebox T45-CW main image
I tried the WatchGuard Firebox - here's what I thought of this 5G appliance
Latest in News
Star Wars Knights of the Old Republic
Knights of the Old Republic remake developer Saber Interactive states all its projects are 'still in development'
Circular smart ring
Circular's new smart ring is getting blood pressure and blood glucose monitoring before the Apple Watch
Gemini on a mobile phone.
Worryingly, Google Gemini’s new AI image generation features can be used to remove watermarks from images and I'm concerned
iPad mini 2021
Huawei might have beaten Apple to the folding phone finish line by creating a foldable 'iPad mini'
Google Pixel 9 in green Wintergreen color showing AI features on screen
Multiple hands-on Google Pixel 9a videos have emerged, days ahead of the likely launch
A man getting angry with his laptop.
Windows 11 bug deletes Copilot from the OS – is this the first glitch ever some users will be happy to encounter?