On October 20, 2024, Internet Archive was once again the target of a cyberattack, marking the third serious incident it has faced in less than a month. The attack on Internet Archive compromised personal identification documents submitted by users through the Zendesk support platform, affecting the privacy of thousands of people who use the services of this digital library.
This alarming event not only highlights a series of technical weaknesses within Internet Archive's security infrastructure, but also the growing sophistication of attacks targeting high-profile organizations.
This sequence of cyberattacks on Internet Archive has exposed a critical vulnerability in API (Application Programming Interface) management and token handling, allowing attackers to exploit security weaknesses. The impact on Internet Archive has been devastating, especially for the users whose data was compromised, and it has underscored the urgent need to improve cybersecurity on critical platforms like Internet Archive.
Therefore, below, the ITD Consulting team provides an analysis of everything happening with Internet Archive and the security failures that are alarming the world.
The October 20 Attack: What Happened?
The third attack on Internet Archive, which occurred on October 20, 2024, focused on exploiting a vulnerability in the rotation of Zendesk API tokens, the platform that Internet Archive uses to manage its customer service.
A token is a credential that grants access to services via an API, and the periodic rotation of these tokens is a standard security measure that, in this case, was not properly executed. As a result, the attackers gained access to a data dump containing personal identification documents of users, submitted as far back as 2018.
Personal identification documents such as passports, driver's licenses, and social security cards were compromised, exposing Internet Archive users to an extreme risk of identity theft.
Cybercriminals can use this information to carry out fraudulent activities, such as opening fake bank accounts or applying for loans in the names of the victims of this Internet Archive attack.
Why is the Attack on Internet Archive So Serious?
The October 20 attack on Internet Archive was particularly damaging due to the nature of the compromised data. Unlike the loss of passwords or email addresses, which can be changed or recovered, the personal identification information that Internet Archive held is much harder to protect once it has been leaked.
Identity theft is one of the primary concerns arising from such incidents, and victims could face legal and financial issues for years.
Internet Archive had previously attempted to reassure its users after the attacks earlier in the month, stating that they had implemented new layers of security. However, the success of this third attack suggests that these measures were insufficient or poorly executed.
Three Attacks in One Month: A Pattern of Vulnerability
The cyberattack on October 20 adds to two other incidents affecting Internet Archive earlier in the same month. On October 9, Internet Archive was the victim of two simultaneous attacks:
- Unauthorized Access to GitLab: The attackers exploited an exposed API token on GitLab, allowing them to access Internet Archive's source code and a user database containing personal information of more than 31 million people.
Although passwords were encrypted, access to such a vast database as Internet Archive’s poses a serious security threat to users, as attackers could attempt brute force attacks or search for vulnerabilities in the source code that could be exploited in the future.
- Distributed Denial-of-Service (DDoS) Attack and Website Defacement: On the same day, the Internet Archive website suffered a DDoS attack, temporarily disrupting the platform's services. In an additional move, the attackers exploited a vulnerability in a JavaScript library used by Internet Archive, allowing them to modify the website's homepage (defacement).
Although this type of attack typically doesn't have long-term consequences, it severely damages the public image and trust in the security of the platform, making it costly for Internet Archive’s reputation.
Zendesk, GitLab, and Cloud Security: What Went Wrong?
Both Zendesk and GitLab are widely used platforms in the business environment for customer support management and source code management, respectively. However, as with any cloud-based service, security largely depends on the proper implementation of available tools and best security practices.
- Zendesk: As a customer support platform, Zendesk handles large volumes of sensitive data. In this case, the failure to rotate API tokens exposed the organization to the attack. Rotating tokens is a critical measure to prevent prolonged unauthorized access.
Furthermore, the lack of advanced intrusion detection systems allowed the attackers to access the systems for an extended period without being detected.
- GitLab: In the case of GitLab, the exposure of an API token allowed the attackers to access the platform’s source code. This not only represents a risk to Internet Archive but also exposes potential vulnerabilities in the code itself that could be exploited in future attacks.
Consequences for Users
For users affected by the Internet Archive attacks, the consequences are profound and long-lasting. In addition to identity theft, victims face the possibility of being targeted by phishing attacks and scams in the future. Cybercriminals often use stolen data to impersonate legitimate entities and trick victims into providing additional information or transferring money.
In response to the attack, affected users have expressed their frustration on platforms like Reddit and Twitter, demanding more transparency from the Internet Archive and requesting support measures such as free credit monitoring and legal assistance for potential identity theft victims.
The Internet Archive’s Response: Measures and Mistakes
After the attacks on the Internet Archive on October 9, and again following the October 20 attack, the founder of the Internet Archive, Brewster Kahle, issued several statements acknowledging security failures and promising improvements to systems. However, the Internet Archive's response has been viewed by some critics as insufficient, especially given the severity of the compromised data.
Rather than taking more aggressive preventive actions after the first attacks, the Internet Archive was slow to strengthen its security systems, allowing the October 20 attack to succeed. The organization has claimed that it is working on improving token rotation, multi-factor authentication (MFA), and implementing advanced intrusion detection systems, but for many users, these actions are coming too late.
The Financial and Legal Costs
The cyberattacks on the Internet Archive not only have technical and security consequences but also financial and legal ones. Although the Internet Archive is a nonprofit organization, the attacks have caused significant loss of trust, which could impact its ability to receive donations and funding.
Furthermore, depending on the jurisdiction, the Internet Archive organization may face legal sanctions and fines for failing to implement adequate security measures to protect user data.
In regions like the European Union, the General Data Protection Regulation (GDPR) imposes substantial fines on organizations that fail to adequately protect the personal information of their users. The GDPR allows for penalties of up to 4% of an organization's global annual revenue, an amount that could be devastating for a nonprofit entity.
Who is Behind the Attacks?
While the individuals responsible for the Internet Archive cyberattacks have not been publicly identified, there are several theories about the actors involved. The combined data theft, DDoS, and defacement attacks suggest a level of organization and technical skill that could point to professional hacker groups or even state-sponsored groups.
The interest in targeting the Internet Archive could be related to the nature of the data stored on the platform. As one of the world’s largest digital repositories, the Internet Archive contains vast amounts of historical and cultural information, including books, images, videos, and software.
While the primary goal seems to have been the financial exploitation of personal data held by the Internet Archive, other underlying motives, such as censorship or cultural sabotage, cannot be ruled out.
Cybersecurity Lessons: How to Avoid a Similar Disaster
This attack on the Internet Archive highlights the importance of adopting robust security practices across all organizations, especially those handling large volumes of sensitive data. The following measures could have helped prevent the attack or at least mitigate its impact:
1. API Token Rotation
API token rotation is an essential measure to limit the validity period of a token and thus reduce the time an attacker could use it if compromised. An API token is like a digital key that allows applications to communicate with each other. If an attacker gains access to this token, they can use it to interact with the API as if they were a legitimate user. By implementing periodic rotation policies, organizations ensure that tokens expire after a set period, forcing the generation of new tokens. This drastically reduces the time a stolen token can be exploited. Ideally, rotation should be automated and accompanied by notifications to alert administrators about unusual access or the use of expired tokens so that swift action can be taken.
2. Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) adds an extra layer of security by requiring more than one proof of identity, such as a password combined with a code from a mobile device or a physical token. While this measure is widely recognized as one of the most effective defenses against unauthorized access, many organizations still fail to implement it fully. In the case of the Internet Archive attack, the lack of MFA on critical systems like Zendesk and GitLab allowed attackers to exploit a single vulnerability, such as a compromised password, to gain full access. If MFA had been implemented, the attacker would have needed, in addition to the password, a second factor that they likely could not have obtained, such as a code generated on a separate device. MFA significantly reduces the chances that a single failure could compromise the entire system, making attacks like this much more difficult.
3. Advanced Intrusion Detection Systems (IDS)
Advanced intrusion detection systems (IDS) play a crucial role in the early identification of suspicious activities within a network. These systems monitor network traffic and systems for unusual behavior patterns that may indicate the presence of an attacker. In the case of the Internet Archive, the implementation of an IDS could have detected unauthorized access to Zendesk and GitLab long before the attackers were able to fully exploit the vulnerabilities. An IDS can automatically alert system administrators about unauthorized access attempts, potential data exfiltration, or unusual activities that deviate from normal usage patterns. The integration of an Intrusion Prevention System (IPS) could also have automatically blocked malicious traffic, thus reducing the attackers' ability to move laterally within the network.
4. Staff Education and Awareness
Staff education on security is one of the most important pillars for preventing cyberattacks, as employees are often the first target of attackers through social engineering tactics like phishing. Training employees to identify fraudulent emails, create strong passwords, and properly handle sensitive information can make the difference between a failed attack attempt and a successful one. In the case of the Internet Archive attack, a poorly trained employee could have fallen for a phishing attack or used a weak or repeated password across multiple systems, making it easier for attackers to succeed. Additionally, it is crucial to foster an organizational culture that emphasizes shared responsibility for security, where employees understand the impact, their actions can have on the integrity of systems. Regular cyberattack simulations and ongoing training programs can help keep teams alert and well-prepared to recognize and respond to emerging threats.
The third cyberattack against the Internet Archive in less than a month is not only a wake-up call for this organization but also for all institutions that handle large amounts of sensitive data. The rapid evolution of cyberattacks requires a more proactive stance in implementing security measures.
The security failures in platforms like Zendesk and GitLab highlight the importance of adopting multiple layers of defense, from token rotation and multi-factor authentication to continuous staff education on best security practices.
The financial and legal consequences, along with the loss of user trust, could have a lasting impact on the Internet Archive. To prevent future incidents, it is crucial that the organization implements the lessons learned from these attacks and significantly strengthens its security infrastructure.
Meanwhile, affected users of the Internet Archive must take immediate steps to protect themselves from identity theft and other potential abuses resulting from the data breach. If you'd like to learn more about the news or how to protect yourself from cybersecurity threats, reach out to us at [email protected]. We have a team of cybersecurity experts ready to provide solutions tailored to the needs of your business.
EN 
ES