Hackers breach wayback machine, exploiting open-source vulnerabilities

Cybersecurity experts underscore the need for vigilant asset protection and rapid response.

A recent hack targeting the Internet Archive’s Wayback Machine has exposed 31 million passwords, highlighting ongoing security vulnerabilities in web applications and the challenges of securing open-source components.

Cybersecurity experts say the breach, which involved defacing the website and subsequent denial-of-service (DDoS) attacks, points to critical weaknesses in current cybersecurity practices.

“Sadly, not a lot has changed,” stated Phillip Ivancic, Head of Solutions Engineering, APAC at Black Duck. “It's probably the same advice that has been around for a very long time, that individuals should not reuse passwords in case they are compromised and then hackers could use them on different sites.”

Steven Sim, a member of the ISACA Information Security Advisory Group, echoed Ivancic's concerns, highlighting the importance of protecting development servers and networks. “There are quite a few lessons that definitely can be learned in this incident,” said Sim. “How Incident Response itself is handled, as well as...identifying your critical assets, protecting them adequately, and having adequate detection, response, and recovery.”

The motivation behind the Wayback Machine hack remains speculative, with theories ranging from “cyber street cred” to political motivations. Ivancic noted that the Wayback Machine holds potentially sensitive information that could be of interest to certain groups.

“Whoever the attacking group was was really determined to disrupt the Internet Archive,” Ivancic explained. “They not only stole passwords, they defaced the web application...it was persistent and deliberate and really designed to try and, for lack of a better word, punish the Internet Archive.”

Sim added that non-financial motivations likely drove the attackers. “One of the strongest [theories] that stood out was...to gain cyber street credibility, or cyber street cred,” Sim said. He noted that this achievement could enhance the hacker’s reputation in the cyber community, as financial extortion was unlikely, given the Internet Archive’s non-profit status.

In terms of the breach specifics, Ivancic highlighted that the initial vulnerability stemmed from an open-source component in the Internet Archive’s authentication process. “Scanning your websites for insecure, open-source components remains one of the most important things that organisations should do,” Ivancic explained.

The breach expanded further when hackers accessed an API token that compromised the email server. “You do need to automate your processes to find [vulnerabilities] and hopefully fix them,” he said, suggesting that tools like software composition analysis could prevent similar attacks.

Sim detailed further entry points discovered by the hackers, including an exposed configuration file that contained sensitive credentials. This file allowed attackers to download the Archive’s source code, which included authentication tokens and database credentials.

“Very often, many end user companies fall into the trap of thinking that these are non-life systems...and as a result, becomes a conduit or pivoting point into more critical resources and assets in the environment,” Sim explained, underscoring the importance of securing development systems.

To prevent similar incidents, Ivancic and Sim emphasised the importance of incident response, regular credential rotations, and thorough communication with users. As Sim noted, effective cybersecurity governance involves robust risk assessment and ensuring “even development servers, development systems are secure,” an area where many companies fall short.