{"id":1205,"date":"2024-11-08T14:59:43","date_gmt":"2024-11-08T21:59:43","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/?p=1205"},"modified":"2024-11-08T14:59:46","modified_gmt":"2024-11-08T21:59:46","slug":"the-multiple-attacks-on-internet-archive","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/2024\/11\/08\/the-multiple-attacks-on-internet-archive\/","title":{"rendered":"The multiple attacks on Internet Archive"},"content":{"rendered":"\n
\"\"
Figure:1 Internet Archive Source:BleepingComputer [2]<\/figcaption><\/figure>\n\n\n\n

At present, cybersecurity incidents are increasing day by day. In an unprecedented series of events, the Internet Archive, the famous Wayback Machine, faced multiple significant cyber attacks recently. These incidents have spread through the digital preservation community and raised critical questions regarding the security measures of our collective online heritage.<\/p>\n\n\n\n

The First Data Breach<\/strong>:<\/h2>\n\n\n\n

The Internet Archive suffered a cyberattack in late September that exposed personal information of approximately 31 million users [1]. It is believed that the data was stolen on September 28 and breached on October 9. News of a breach began circulating on October 9 afternoon after the users visiting the archive.org began seeing a JavaScript alert, stating that the internet archive was breached. The JavaScript alert was \u201cHave you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!” [2].<\/p>\n\n\n\n

\"\"
Figure 2: Screenshot of @disclosetv\u2019s post on X (formerly Twitter), JavaScript alert shown on Internet Archive. Source: “Disclose.tv,” X (formerly Twitter) [6].<\/strong><\/figcaption><\/figure>\n\n\n\n

Here, in the JavaScript alert, HIBP refers to the Have I Been Pwned. This is a data breach notification service created by Troy Hunt, with whom hackers commonly share the stolen information to be added to the service. Hunt told BleepingComputer that a hacker shared a database with user information from the Internet Archive. The file is a 6.4GB SQL file called “ia_users.sql” [2]. Troy Hunt told Bleeping Computer that hackers shared stolen information of users, which included email addresses, screen names and bcrypt-hashed passwords on 30 September and he contacted the Internet Archive with the information on 6 October [1]. The latest date on the stolen records is September 28, 2024, which is probably when the database was stolen [1] [2].<\/p>\n\n\n

\n
\"\"
Figure<\/strong> 3:<\/strong> Screenshot of @troyhunt post on X (formerly Twitter), regarding the Internet Archive data breach. Source: “Troy Hunt,” X (formerly Twitter) [7].<\/strong><\/figcaption><\/figure>\n<\/div>\n\n\n

Hunt says there are 31 million different email addresses in the database, and many of them are signed up for the HIBP data breach alert service. Soon, the information will be added to HIBP. This will let users check if their email was involved in this breach. The authenticity of the data was validated after Troy Hunt reached out to users listed in the compromised databases. Among those contacted was cybersecurity researcher Scott Helme, who allowed BleepingComputer to share his exposed record [2].<\/p>\n\n\n\n

\"\"
Figure 4: Exposed record of Scott Helme Source: BleepingComputer [2].<\/strong><\/figcaption><\/figure>\n\n\n\n

Helme confirmed that the bcrypt-hashed password in the data record matched the bcrypt-hashed password stored in his password manager. He also confirmed that the timestamp in the database record aligned with the date of his last password update, providing further evidence of the data’s accuracy [2].<\/p>\n\n\n

\n
\"\"
Figure<\/strong> 5:<\/strong> Password manager entry for archive.org Source:BleepingComputer [2]<\/strong><\/figcaption><\/figure>\n<\/div>\n\n\n

In the first breach, hackers took advantage of the Gitlab token that had been left exposed since December 2022, and taking advantage of it, hackers accessed the Internet Archive\u2019s source code and stole user data [5].<\/p>\n\n\n\n

The DDOS Attack:<\/strong><\/h2>\n\n\n\n

While the archive was still dealing with the aftermath of the data breach, it faced multiple DDOS attacks. The Internet Archive suffered back-to-back DDOS attacks on October 9 and October 10 [1] [4]. Brewster Kahle, chair of the Internet Archive\u2019s board, posted an update on the Internet Archive\u2019s response to the attacks on X:<\/p>\n\n\n\n

\u201cWhat we know: DDOS attack \u2013 fended off for now; defacement of our website via JS library; breach of usernames\/email\/salted-encrypted passwords.<\/p>\n\n\n\n

\u201cWhat we\u2019ve done: Disabled the JS library, scrubbing systems, upgrading security.\u201d [1] [2]<\/p>\n\n\n\n

\"\"
Figure 6: Screenshot of @brewster_kahle post on X (formerly Twitter), confirming the breach and DDOS attacks. Source: “Brewster Kahle,” X (formerly Twitter) [8]<\/strong><\/figcaption><\/figure>\n\n\n\n

On October 10, Brewster Kahle again posted on X that DDOS attacks have resumed taking archive.org and openlibrary.org offline again.<\/p>\n\n\n\n

\"\"
Figure 7: Screenshot of @brewster_kahle post on X (formerly Twitter), posted again saying that the DDOS attacks have resumed, knocking both archive.org and openlibrary.org offline. Source: “Brewster Kahle,” X (formerly Twitter)<\/strong>[8].<\/figcaption><\/figure>\n\n\n\n

The Russia based SN_Blackmeta hacking group claimed a DDOS attack on the Internet Archive and they also said that they will be conducting more attacks through a post on X [3] [4].<\/p>\n\n\n\n

\"\"
Figure 8: Screenshot of @Sn_darkmeta post on X (formerly Twitter), taking responsibility of the DDOS attack. Source: “SN_BLACKMETA” X (formerly Twitter) [9]<\/strong>.<\/figcaption><\/figure>\n\n\n\n

Mid-October 2024 \u2013 The Second Breach<\/strong>:<\/h2>\n\n\n\n

In mid-October 2024, the hackers took advantage of an unrotated access token for breaching the Internet Archive. Hackers were able to get into the Internet Archive’s Zendesk support site without permission. These tokens, which are like digital keys, were meant to be kept safe after earlier alerts, but they were still at risk [5]. This breach exposed a critical flaw in the Archive\u2019s security practices, particularly its failure to rotate API tokens regularly [5].<\/p>\n\n\n\n

October 20, 2024 \u2013 The Third Breach<\/strong>:<\/h2>\n\n\n\n

This breach happened because bad actors continued to exploit unrotated Zendesk API tokens that had not been rotated. These tokens, which are like digital keys, were exposed in earlier attacks, but the Internet Archive didn’t change or replace them. As a result, the hackers maintained their access to the Internet Archive Zendesk support platform, where sensitive user support tickets were stored [5].<\/p>\n\n\n\n

The Link Between the Breaches<\/strong>:<\/h2>\n\n\n\n

The third breach is directly connected to the vulnerability that was exploited during the first two breaches:<\/p>\n\n\n\n

First Breach: October 9, 2024<\/strong><\/h2>\n\n\n\n

In the first breach, bad actors exploited a GitLab token that had been exposed since late 2022. This allowed them to access the source code of the Internet Archive and put the sensitive information of 31 million users at risk. At the same time, the group SN_BlackMeta started a DDoS attack, which caused the website to have problems [5].<\/p>\n\n\n\n

Second Breach: Mid-October,2024<\/strong><\/h2>\n\n\n\n

In this breach, the bad actors targeted the Internet Archive Zendesk support platform by taking advantage of unrotated access tokens. These tokens should have been updated after the initial breach, but they were not and enabled unauthorized access to support tickets containing personal data from users [5].<\/p>\n\n\n\n

Third Breach: October 20, 2024<\/strong><\/h2>\n\n\n\n

The third breach happened because of the same main issue that caused the first two attacks: not managing and changing access tokens correctly. This allowed the attackers to continue exploiting the same vulnerabilities to access critical areas of the Internet Archive’s systems. Each new attack took advantage of the problems that the earlier attack didn’t fix, making the damage worse [5].<\/p>\n\n\n\n

Coclusion:<\/strong><\/h2>\n\n\n\n

This incident serves as a wake-up call for the organizations to implement proactive security measures, regular system updates and regularly rotate security tokens. This incident shows how even organizations like the Internet Archive are vulnerable if fundamentals of security are neglected. <\/p>\n\n\n\n

Hackers are exploiting the systems using advanced technologies and tools and raising concerns for cybersecurity professionals to come up with rigid solutions to counter the sophisticated threats. It is our collective responsibility to counter these types of attacks by properly managing the system.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Reference:<\/h2>\n\n\n\n
    \n
  1. https:\/\/www.siliconrepublic.com\/enterprise\/internet-archive-cyber-attack-2024<\/a><\/li>\n\n\n\n
  2. https:\/\/www.bleepingcomputer.com\/news\/security\/internet-archive-hacked-data-breach-impacts-31-million-users\/<\/a><\/li>\n\n\n\n
  3. https:\/\/www.cyberdaily.au\/security\/11215-internet-archive-down-claims-catastrophic-data-breach-impacting-31-million<\/a><\/li>\n\n\n\n
  4. https:\/\/www.techrepublic.com\/article\/internet-archive-accounts-exposed\/<\/a><\/li>\n\n\n\n
  5. https:\/\/www.forbes.com\/sites\/larsdaniel\/2024\/10\/20\/internet-archive-breached-again-third-cyber-attack-in-october-2024\/<\/a><\/li>\n\n\n\n
  6. https:\/\/x.com\/disclosetv\/status\/1844135950324203802<\/a><\/li>\n\n\n\n
  7. https:\/\/x.com\/troyhunt\/status\/1844148532703526928<\/a><\/li>\n\n\n\n
  8. https:\/\/x.com\/brewster_kahle\/status\/1844183111514603812<\/a><\/li>\n\n\n\n
  9. https:\/\/x.com\/Sn_darkmeta\/status\/1844080692772401399<\/a><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"

    At present, cybersecurity incidents are increasing day by day. In an unprecedented series of events, the Internet Archive, the famous Wayback Machine, faced multiple significant cyber attacks recently. These incidents have spread through the digital preservation community and raised critical questions regarding the security measures of our collective online heritage. The First Data Breach: The … <\/p>\n

    Continue reading “The multiple attacks on Internet Archive”<\/span><\/a><\/p>\n","protected":false},"author":693,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[1],"tags":[6,11],"class_list":["post-1205","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-data-breach","tag-security","entry"],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Akshar Ketanbhai Patel","author_link":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/author\/akshar-ketanbhai-patel\/"},"_links":{"self":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts\/1205","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/users\/693"}],"replies":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/comments?post=1205"}],"version-history":[{"count":2,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts\/1205\/revisions"}],"predecessor-version":[{"id":1217,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/posts\/1205\/revisions\/1217"}],"wp:attachment":[{"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/media?parent=1205"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/categories?post=1205"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-json\/wp\/v2\/tags?post=1205"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}