October 20, 2024 at 10:58AM
The Internet Archive experienced another breach, exposing user data and Zendesk emails due to failure in properly rotating stolen GitLab authentication tokens. A threat actor claimed credit for the breach, asserting they stole 7TB of data, not for profit but to gain notoriety among cybercriminals.
### Meeting Takeaways
1. **Breach Overview**:
– The Internet Archive experienced another breach, specifically targeting their Zendesk email support platform.
– Threat actors utilized stolen GitLab authentication tokens, which were inadequately rotated.
2. **Impact on Users**:
– Users received notifications regarding data breaches related to their past Internet Archive removal requests.
– An email from the threat actor revealed that over 800,000 support tickets could potentially be accessed due to compromised tokens.
3. **Email Authentication**:
– Emails sent by the threat actor passed all authentication checks (DKIM, DMARC, SPF), confirming they were sent from a legitimate Zendesk server.
4. **Background of the Breach**:
– BleepingComputer had previously warned the Internet Archive about the exposed GitLab authentication token, which had been visible for nearly two years.
– The breach resulted in the theft of user data for 33 million accounts and was paired with a DDoS attack conducted by a different group.
5. **Mechanism of the Attack**:
– The breach initiated from an exposed GitLab configuration file on the development server of the Internet Archive.
– The threat actor claimed to have accessed significant data, including the organization’s source code and database management credentials.
6. **Extent of Data Compromise**:
– Approximately 7TB of data was reportedly stolen, but samples were not shared to substantiate the claim.
7. **Motivation Behind the Breach**:
– The breach was not politically or financially motivated; rather, it was an act aimed at gaining credibility and reputation within the cybercriminal community.
– The stolen data is expected to circulate among other threat actors and may be leaked in the future on various hacking forums.
8. **Failure to Communicate**:
– Despite multiple outreach attempts by BleepingComputer to the Internet Archive for insights on the breach, no response was received.
### Action Items:
– Enhance the security measures for API keys and authentication tokens to prevent further breaches.
– Communicate transparently with users affected by the breach.
– Investigate the breach’s details to understand vulnerabilities and improve system responses.