New Internet Archive Breach Tied to Stolen Zendesk Tokens
Internet Archive Hit Again: Zendesk Breach Exposes 800K Support Tickets
The Internet Archive has suffered yet another breach, this time targeting its Zendesk email support platform. Despite warnings about exposed GitLab tokens, the organization failed to rotate their stolen credentials, leading to the compromise of their support system and exposing sensitive data.
800K Tickets Exposed: Data from Wayback Removal Requests at Risk
According to the threat actor, they accessed over 800,000 support tickets sent to [email protected] since 2018. These include personal information from individuals requesting the removal of content from the Wayback Machine. The attacker said, “Whether you were asking a general question or requesting the removal of your site… your data is now in the hands of some random guy.”
Internet Archive Zendesk emails sent by the threat actor
Source: BleepingComputer
The email headers in these emails also pass all DKIM, DMARC, and SPF authentication checks, proving they were sent by an authorized Zendesk server at 192.161.151.10.
Internet Archive Zendesk email headers
Source: BleepingComputer
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Authentication Tokens Left Exposed for 2 Years: Source Code and Data Stolen
The attacker first gained access by discovering an exposed GitLab configuration file on one of the Internet Archive’s development servers, which contained an authentication token. The token had been exposed for almost two years, allowing the hacker to download 7TB of source code, user databases, and other critical information.
Exposed Internet Archive GitLab authentication token
Source: BleepingComputer
Risk of Personal IDs Leaked: Threat Actor May Have Access to Sensitive Files
Some users requesting removal from the Wayback Machine had to upload personal identification, which may now be compromised. Depending on the attacker’s API access to the Zendesk support system, these attachments could be in the hands of threat actors, raising serious privacy concerns.
Trending: Recon Tool: emailFinder
Breach Motivated by Cyber Street Cred, Not Extortion or Politics
While there was speculation that the breach was politically motivated or related to copyright battles, the attack appears to have been driven purely by the hacker’s desire for cyber street credibility. With no monetary gain to be made from extorting the Internet Archive, the hacker sought recognition within the cybercriminal community.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com