The Internet Archive hit with a new level of cyberattack
API key rotation apparently wasn't a thing at the Internet Archive
It's been a rocky few weeks for digital library The Internet Archive, following a number of distributed-denial-of-service (DDoS) attacks which left the service offline and allowed hackers to access the data of up to 31 million users.
The stolen data was initially said to include email addresses, screen names, and Bcrypt passwords. Now, however, there seems to be some confirmation that email addresses relating to Internet Archive support tickets have definitely been stolen.
Numerous Internet Archive users have shared their experience of receiving replies from the info@archive.org support email that appear to have been sent by one of those responsible for the attack, who still maintains some level of control over Internet Archive systems.
API keys not rotated
An email received by The Verge from the Internet Archive stated:
“It’s dispiriting to see that even after being made aware of the breach 2 weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets.
As demonstrated by this message, this includes a Zendesk token with perms to access 800K+ support tickets sent to info@archive.org since 2018.
Whether you were trying to ask a general question, or requesting the removal of your site from the Wayback Machine—your data is now in the hands of some random guy. If not me, it’d be someone else.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Here’s hoping that they’ll get their shit together now.”
An application programming interface (API) key is a token used to authenticate an application or user to access an API. API tokens are unique and kept hidden to prevent unauthorized access, and typically rotated to mitigate the window of opportunity presented to a hacker who compromises a key. However, according to the author of the email, the Internet Archive apparently did not follow the best practices for API key security.
A blog post from Internet Archive founder Brewster Kahle published on October 18 said that “The stored data of the Internet Archive is safe and we are working on resuming services safely. This new reality requires heightened attention to cyber security and we are responding. We apologize for the impact of these library services being unavailable.”
“We’re taking a cautious, deliberate approach to rebuild and strengthen our defenses. Our priority is ensuring the Internet Archive comes online stronger and more secure,” Kahle’s statement continued.
Jake Moore, Global Cybersecurity Advisor, ESET, said, “The Internet Archive failed to replace the previously stolen digital keys which has left the platform vulnerable once again to persistent attackers. Failure to clean up any exposed vulnerabilities, such as breached tokens, can lead to further problems like what we are witnessing here. Threats actors, including both the original attackers and new groups testing their (if any) new security, will continue to target a platform until a full patch is delivered and working.”
“As a result of this latest breach, attackers were able to gain access to even more sensitive user information and once again have put their users at risk. This highlights the importance of quick reactions and protocol following a cyberattack. It is vital that companies act swiftly in a full audit as it is clear that malicious actors will come back time and time again to test their new defences,” Moore said.
More from TechRadar Pro
- Internet Archive hacked, millions of records stolen following DDoS attack
- These are the best endpoint protection services
- Take a look at the best VPN with antivirus
Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.