In October 2024, the **Internet Archive** suffered a major security breach alongside disruptive DDoS attacks, exposing data from **31 million user accounts**, including email addresses, usernames, bcrypt-hashed passwords, and internal records. The attack exploited **unrotated API tokens in a Zendesk support system**, revealing critical gaps in token management and security monitoring. While no highly sensitive financial data was stolen, the breach compromised a vast amount of user credentials and internal documentation, leading to potential downstream risks like credential stuffing, phishing, and reputational harm. The incident underscored the dangers of poor API security practices and the cascading effects of third-party vulnerabilities in SaaS ecosystems.
Source: https://www.kaseya.com/?post_type=post&p=24678
TPRM report: https://www.rankiteo.com/company/internet-archive
"id": "int4192641100925",
"linkid": "internet-archive",
"type": "Breach",
"date": "10/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'SMB customers (scope '
'unspecified)',
'industry': 'Cloud Computing / SaaS',
'location': 'Global',
'name': 'Google (Salesforce Database)',
'size': 'Large Enterprise',
'type': 'Technology Corporation'},
{'customers_affected': '31 million user accounts',
'industry': 'Education / Digital Preservation',
'location': 'Global (HQ: San Francisco, USA)',
'name': 'Internet Archive',
'size': 'Medium-Large Organization',
'type': 'Non-Profit Digital Library'}],
'attack_vector': ['Voice Phishing (Vishing)',
'Credential Theft',
'Unrotated API Tokens',
'OAuth Abuse (Potential)'],
'customer_advisories': ['Google: Likely notified affected SMB customers (no '
'public details).',
'Internet Archive: Advised 31M users to reset '
'passwords and enable MFA.'],
'data_breach': {'data_encryption': 'Partial (Internet Archive: bcrypt-hashed '
'passwords)',
'data_exfiltration': 'Yes (Both Incidents)',
'number_of_records_exposed': ['Unspecified (Google '
'Salesforce)',
'31 million (Internet Archive)'],
'personally_identifiable_information': 'Limited (Emails, '
'usernames; no '
'SSNs/financial data)',
'sensitivity_of_data': 'Moderate (No highly sensitive '
'PII/financial data in either case)',
'type_of_data_compromised': ['Contact Details (Google '
'Salesforce)',
'User Account Data (Internet '
'Archive: emails, usernames, '
'hashed passwords)']},
'date_publicly_disclosed': ['2025-08-01', '2024-10-01'],
'description': 'Two notable SaaS breaches: (1) Google reported a breach of '
'its Salesforce database by ShinyHunters (UNC6040) in August '
'2025, exposing customer contact details via voice phishing. '
'(2) The Internet Archive disclosed a major breach in October '
'2024, exposing 31M user accounts (emails, usernames, hashed '
'passwords) due to unrotated API tokens in Zendesk. Both '
'incidents highlight SaaS vulnerabilities like phishing, token '
'mismanagement, and insufficient monitoring.',
'impact': {'brand_reputation_impact': ['Erosion of Customer Trust (Both '
'Incidents)',
'Potential Customer Churn '
'(MSPs/Clients Questioning '
'Reliability)'],
'customer_complaints': 'Likely (trust erosion, but no specific '
'numbers provided)',
'data_compromised': ['31M user accounts (Internet Archive: emails, '
'usernames, bcrypt-hashed passwords, internal '
'records)',
'Google Salesforce: customer contact details '
'and notes (SMB customers)'],
'downtime': 'Internet Archive: Disruptive DDoS attacks alongside '
'breach (duration unspecified)',
'identity_theft_risk': 'Low (Internet Archive: hashed passwords; '
'Google: no financial/PII exposed)',
'operational_impact': ['Lost Productivity (Both Incidents)',
'Investigation and Remediation Efforts'],
'payment_information_risk': 'None (No financial data compromised '
'in either breach)',
'systems_affected': ['Salesforce Database (Google)',
'Zendesk Support System (Internet Archive)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Possible (ShinyHunters’ '
'modus operandi)',
'entry_point': ['Voice Phishing (Google Salesforce)',
'Unrotated API Tokens (Internet '
'Archive)'],
'high_value_targets': ['Customer Contact Databases '
'(Google)',
'User Account Credentials '
'(Internet Archive)']},
'investigation_status': 'Closed (Public Disclosures Issued)',
'lessons_learned': ['SaaS threats are evolving with AI-powered phishing and '
'token theft; continuous monitoring is critical.',
'Token management (rotation, encryption, secure storage) '
'is essential to prevent API-based breaches.',
'Human error (phishing susceptibility) remains a top '
'risk; ongoing training is vital.',
'OAuth abuse and inactive MFA are persistent '
'vulnerabilities in SaaS environments.',
'Layered defense strategies (e.g., Kaseya 365 User) can '
'mitigate SaaS breach impacts.'],
'motivation': ['Data Theft (Customer Contact Details)',
'Potential Financial Gain (Dark Web Data Sales)',
'Disruption (DDoS in Internet Archive Case)'],
'post_incident_analysis': {'corrective_actions': ['Token rotation/encryption '
'policies (Internet '
'Archive).',
'Enhanced phishing training '
'(Google).',
'Layered security adoption '
'(e.g., Kaseya 365 User).'],
'root_causes': ['Inadequate token management '
'(Internet Archive).',
'Successful social engineering '
'(Google Salesforce).',
'Lack of proactive monitoring for '
'hidden SaaS risks (both).']},
'recommendations': ['Implement **proactive SaaS security measures**: layered '
'defenses, MFA enforcement, and token management.',
'Adopt **continuous monitoring** for both known threats '
'(phishing, malware) and hidden risks (orphaned links, '
'inactive accounts).',
'Use **automated threat detection/remediation** tools '
'(e.g., Kaseya 365 User) to reduce response times.',
'Conduct **regular security audits** for SaaS '
'integrations, API tokens, and user permissions.',
'Train employees on **advanced phishing tactics** '
'(vishing, AI-powered scams) and **secure file-sharing '
'practices**.',
'Ensure **business continuity plans** include '
'SaaS-specific recovery protocols.'],
'references': [{'source': 'Cost of a Data Breach Report 2025'},
{'source': 'Google Security Blog (Salesforce Breach '
'Disclosure, 2025)'},
{'source': 'Internet Archive Breach Notification (2024)'},
{'source': 'Kaseya 365 User Documentation'}],
'regulatory_compliance': {'regulatory_notifications': 'Likely (GDPR/CCPA if '
'applicable, but not '
'specified)'},
'response': {'communication_strategy': 'Public Disclosure (Both Incidents)',
'containment_measures': ['Token Rotation (Internet Archive, '
'post-breach)',
'Phishing Awareness Training (Google, '
'implied)'],
'enhanced_monitoring': 'Recommended (Post-Breach)',
'incident_response_plan_activated': 'Likely (both organizations '
'disclosed breaches '
'publicly)',
'remediation_measures': ['Secure Token Storage/Encryption '
'(Internet Archive)',
'Monitoring Enhancements (Both)']},
'stakeholder_advisories': 'MSPs advised to strengthen SaaS security postures '
'and adopt layered defenses.',
'threat_actor': ['ShinyHunters (UNC6040)',
'Unknown (Internet Archive Breach)'],
'title': 'Google Salesforce Breach (2025) and Internet Archive Data Breach '
'(2024)',
'type': ['Data Breach',
'Unauthorized Access',
'Phishing (Vishing)',
'API Token Exploitation'],
'vulnerability_exploited': ['Human Error (Phishing Susceptibility)',
'Improper Token Management (Unrotated API Tokens)',
'Lack of Multi-Factor Authentication (MFA) '
'Enforcement']}