Internet Archive Breached via Unrotated API Tokens

In October 2024, the Internet Archive suffered a cascading breach that began with a single exposed GitLab configuration token. That token provided access to the Archive's source code repositories, which contained additional secrets including Zendesk API tokens that had not been rotated.

The first breach exposed a user database containing 31 million records. The second breach, enabled by the unrotated Zendesk tokens found in the GitLab secrets, provided access to over 800,000 support tickets, some containing personal identification documents.

The GitLab tokens had been accessible for nearly two years without expiration or rotation policies.

This incident directly maps to multiple entries on the OWASP Non-Human Identities Top 10: NHI2 (Secret Leakage), NHI7 (Long-Lived Secrets), and NHI1 (Improper Offboarding). It is a practical demonstration of why these risks were formalized into a dedicated OWASP list.

Long-lived secrets are the NHI equivalent of passwords that never expire. They accumulate in source code repositories, configuration files, environment variables, and CI/CD pipelines, often with excessive permissions and no monitoring. When they are eventually discovered by an attacker, they provide silent, persistent access that can go undetected for months or years.

Secret rotation is not a nice-to-have operational practice. It is a fundamental identity architecture control.