Internet Archive breached again through stolen access tokens

(www.bleepingcomputer.com)

492 points vladyslavfox | 1 comments | 20 Oct 24 15:00 UTC | HN request time: 0s | source

Show context

TheFreim ◴[20 Oct 24 15:24 UTC] No.41895901[source]▶

> "It's dispiriting to see that even after being made aware of the breach weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets," reads an email from the threat actor.

This is quite embarrassing. One of the first things you do when breached at this level is to rotate your keys. I seriously hope that they make some systemic changes, it seems that there were a variety of different bad security practices.

replies(5): >>41896145 #>>41896897 #>>41897646 #>>41897785 #>>41898493 #

ghostly_s ◴[20 Oct 24 17:15 UTC] No.41896897[source]▶

>>41895901 #

IA is in bad need of a leadership change. The content of the archive is immensely valuable (largely thanks to volunteers) but the decisions and priorities of the org have been far off base for years.

replies(5): >>41896940 #>>41897130 #>>41897333 #>>41898095 #>>41902975 #

1. washadjeffmad ◴[21 Oct 24 11:28 UTC] No.41902975[source]▶

>>41896897 #

Hot take, but the intersection of people with sufficient LIS / archival experience to run the place and who can live under constant legal peril without capitulating to adversarial interests is probably, what, a hundred in the world?

I'd say they need support. They didn't abandon or pervert their mission, they relied on people they trusted who weren't equipped to also handle security. If your house were broken into, I wouldn't start a neighborhood petition for you to move out, because you didn't cause it.

They may be in a rut, but short of you or someone else building an IA replacement that settles all of your concerns and commiting to it for twenty five years with no serious compromises, you're probably punching a little above your weight on the topic.

↑