Internet Archive exposed again – this time through Zendesk

Despite the Internet Archive's assurances that it's back on its feet after a recent infosec incident, the org still appears to be in trouble after parties unknown claimed to hold access tokens to its Zendesk implementation and to have used them to send a mass email blast.

The claim was made on Sunday in the form of an email sent to those who have tried to interact with the Archive (IA) and had their requests routed to Zendesk – the SaaSy customer service platform.

The Register received the email in response to our most recent request for comment on the Archive's woes.

The mail opens: "It's dispiriting to see that even after being made aware of the breach 2 weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets," before claiming the mail was made possible by the presence of a Zendesk token in that trove.

"As demonstrated by this message, this includes a Zendesk token with perms to access 800K+ support tickets sent to info@archive.org since 2018," the email states.

"Whether you were trying to ask a general question or requesting the removal of your site from the Wayback Machine – your data is now in the hands of some random guy. If not me, it'd be someone else," the unidentified e-mailer wrote, before finishing with "Here's hoping that they'll get their shit together now."

It's unclear if the author is the same entity who recently defaced the Archive's website and called out the org for lax infosec.

Posts to various social networks indicate The Register is far from alone in having received the mail.

The org's social feeds and blogs are silent on the matter at the time of writing.

• Internet Archive wobbles back online, with limited functionality
• Internet Archive user info stolen in cyberattack, succumbs to DDoS
• Of course the Internet Archive’s digital lending broke the law, appeals court says
• Internet Archive blames 'environmental factors' for overnight outages

But the Archive did manage to send at least one legitimate email last week – in which it asked for donations to help it work through its infosec issues.

"We apologize for the impact this caused on you, our valued users," that email read. "The support of our community is deeply appreciated, and your generosity and assistance can help us during this time. Please consider donating to support continued access to knowledge for all who seek it. We understand if you cannot contribute, but any assistance is greatly appreciated."

Anyone else feel like this might not be quite the moment to entrust the Internet Archive with credit card details? ®