News: 0175290701

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Internet Archive Users Start Receiving Email From 'Some Random Guy' Criticizing Unpatched Hole (bleepingcomputer.com)

(Sunday October 20, 2024 @04:58PM (EditorDavid) from the all-your-base-are-belong-to-us dept.)


A post [1]shared Saturday on social media acknowledges those admins and developers at the Internet Archive working "literally round the clock... They have taken no days off this past week. They are taking none this weekend... they are working with all of their energy and considerable talent."

It describes people "working so incredibly hard... putting their all in," with a top priority of "getting the site back secure and safe".

But there's new and continuing problems, [2]reports The Verge's weekend editor :

> Early this morning, I received an email from "The Internet Archive Team," replying to a message I'd sent on October 9th. Except its author doesn't seem to have been the digital archivists' support team — it was apparently written by the hackers who breached the site earlier this month and who evidently maintain some level of access to its systems.

>

> I'm not alone. Users on the Internet Archive subreddit are [3]reporting getting the replies, as well. Here is the message I received:

>

> It's dispiriting to see that even after being made aware of the breach 2 weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets.

>

> As demonstrated by this message, this includes a Zendesk token with perms to access 800K+ support tickets sent to info@archive.org since 2018.

>

> Whether you were trying to ask a general question, or requesting the removal of your site from the Wayback Machine — your data is now in the hands of some random guy. If not me, it'd be someone else.

The site [4] BleepingComputer believes they know the larger context , starting with the fact that they've also "received numerous messages from people who received replies to their old Internet Archive removal requests... The email headers in these emails also pass all DKIM, DMARC, and SPF authentication checks, proving they were sent by an authorized Zendesk server."

BleepingComputer also writes that they'd "repeatedly tried to warn the Internet Archive that their source code was stolen through a GitLab authentication token that was exposed online for almost two years."

And that "the threat actor behind the actual data breach, who contacted BleepingComputer through an intermediary to claim credit for the attack," has been frustrated by misreporting. (Specifically, they insist there were two separate attacks last week — a DDoS attack and a [5]separate data breach for a 6.4-gigabyte database which includes email addresses for the site's 33 million users.)

> The threat actor told BleepingComputer that the initial breach of Internet Archive started with them finding an exposed GitLab configuration file on one of the organization's development servers, services-hls.dev.archive.org . BleepingComputer was able to confirm that this token has been exposed since at least December 2022, with it rotating multiple times since then. The threat actor says this GitLab configuration file contained an authentication token allowing them to download the Internet Archive source code. The hacker say that this source code contained additional credentials and authentication tokens, including the credentials to Internet Archive's database management system. This allowed the threat actor to download the organization's user database, further source code, and modify the site.

>

> The threat actor claimed to have stolen 7TB of data from the Internet Archive but would not share any samples as proof. However, now we know that the stolen data also included the API access tokens for Internet Archive's Zendesk support system. BleepingComputer attempted contact the Internet Archive numerous times, as recently as on Friday, offering to share what we knew about how the breach occurred and why it was done, but we never received a response.

"The Internet Archive was not breached for political or monetary reasons," they conclude, "but simply because the threat actor could...

"While no one has publicly claimed this breach, BleepingComputer was told it was done while the threat actor was in a group chat with others, with many receiving some of the stolen data. This database is now likely being traded amongst other people in the data breach community, and we will likely see it leaked for free in the future on hacking forums like Breached."



[1] https://www.reddit.com/r/internetarchive/comments/1g71v9m/insider_report/?share_id=_tbIA32oVUUB8Q2dcsurU&utm_content=1&utm_medium=ios_app&utm_name=ioscss&utm_source=share&utm_term=1

[2] https://www.theverge.com/2024/10/20/24274826/internet-archive-hackers-replying-zendesk-tickets

[3] https://www.reddit.com/r/internetarchive/comments/1g7sb6b/well_thats_concerning_got_this_reply_on_an_email/

[4] https://www.bleepingcomputer.com/news/security/internet-archive-breached-again-through-stolen-access-tokens/

[5] https://www.bleepingcomputer.com/news/security/internet-archive-hacked-data-breach-impacts-31-million-users/



Good thing we have Anna's Archive and Libgen (Score:3)

by innocent_white_lamb ( 151825 )

Much as people dump on Anna's Archive and Libgen for being "illegal", they provide a secondary source for a huge volume of valuable data which is, obviously, not entirely safe with a single originator.

What a jackass (Score:4, Insightful)

by rabbirta ( 10188987 )

This is like going through the Twitter leaks and emailing everyone whining about the security of Twitter.

Or LinkedIn. Except it's archive.org so there isn't even any anti-corporate angle, it's just being a dumbass and shitting in the punch bowl.

Random idea (Score:2)

by Waffle Iron ( 339739 )

Maybe these public repo hosting services should automatically scan every checkin for strings that look like auth tokens or other secrets, and ask the users if they really want to continue before performing a commit.

Re: (Score:1)

by Jrabbit05 ( 943335 )

the good ones (github) already do.

A DDOS attack (Score:3)

by vbdasc ( 146051 )

is not a data breach. Just sayin'.

Re: (Score:2)

by EditorDavid ( 4512125 )

You're right. (I just went in and changed it to "attacks"...)

Nigerian prince or extended car warranty? (Score:2)

by jfdavis668 ( 1414919 )

Besides political ones, I get a lot of these, too.

Re: (Score:2)

by fahrbot-bot ( 874524 )

Who wouldn't want an extended car warranty backed by royalty?

I'm not blaming the victim (Score:4, Insightful)

by 93 Escort Wagon ( 326346 )

... and running your own git server doesn't magically solve every possible security problem - you can still get breached, and you can still do dumb things like leave a private key in the repo. But... this drives home to me, again, that I prefer running our own on-premises git server for our work repositories.

It's not hard to run a git server. And, if you really want a gui for some reason, you can still have one.

Phasers locked on target, Captain.