According to the threat actor, they now have access to sensitive attachments uploaded by users depending on their API access to Zendesk. If the attackers exploited this access, they could have downloaded support tickets that included personal identification documents and other sensitive information submitted by users

The breach stems from a GitLab configuration file left exposed since at least December 2022. The configuration file included authentication tokens that allowed attackers to download the organization's source code. Further investigation revealed that this code contained additional credentials, including access to the organization's database management system. As a result, the attackers claimed to have stolen 7TB of data, although they did not provide any sample data to prove their claims. The incident has raised concerns about the security of Internet Archive’s systems, especially considering the organization's slow response to prior warnings.

This breach coincided with a DDoS attack targeting the Internet Archive by a pro-Palestinian group named SN_BlackMeta, although the two attacks were unrelated. Misreporting initially blamed the breach on this group, frustrating the actual attackers. The individuals behind the data theft later contacted researchers to clarify their role and explain the breach's origins. According to the attackers, they breached the organization simply because they could, citing an exposed GitLab token as the entry point to the system.

While the breach does not appear to have been financially motivated, the Internet Archive’s popularity made it a prime target for cybercriminals seeking "street cred" within the hacker community. The stolen data is likely circulating within these circles and may eventually be leaked on dark web forums. This incident underscores the growing challenges organizations face in securing their systems, especially when sensitive authentication tokens are left vulnerable for extended periods

Impact

• Unauthorized Access
• Sensitive Data Theft

Remediation

• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.