Threat Actor: Unknown | Unknown
Victim: Hugging Face | Hugging Face
Price: Not specified
Exfiltrated Data Type: Spaces secrets
Additional Information:
- The security breach affected Hugging Face’s Spaces platform.
- Unauthorized access to Spaces secrets was detected.
- A subset of Spaces’ secrets may have been compromised.
- Hugging Face revoked many HF tokens associated with the potentially accessed secrets.
- Users impacted by the revocation have been notified via email.
- Hugging Face recommends refreshing keys or tokens associated with user accounts.
- Switching to fine-grained access tokens is advised for enhanced security.
- External cybersecurity forensic specialists are assisting in the investigation.
- Improvements to the security of the Spaces infrastructure have been implemented, including the removal of Org Tokens, implementation of a Key Management Service (KMS), token leakage detection, and general security enhancements.
- Hugging Face plans to phase out “classic” read and write tokens in favor of fine-grained access tokens to bolster security.
Hugging Face, a leading provider of open-source machine learning and AI tools, has disclosed a recent security breach affecting its Spaces platform. The incident, which was detected last week, involved unauthorized access to Spaces secrets, raising concerns about the potential exposure of sensitive information.
According to a statement from Hugging Face, their security team identified unauthorized access to the Spaces platform, specifically targeting Spaces secrets. This unauthorized access suggests that a subset of these secrets may have been compromised.
“Earlier this week our team detected unauthorized access to our Spaces platform, specifically related to Spaces secrets. As a consequence, we have suspicions that a subset of Spaces’ secrets could have been accessed without authorization,” warned Hugging Face.
In response, Hugging Face took immediate action by revoking many HF tokens associated with the potentially accessed secrets. Users impacted by this revocation have already been notified via email.
To mitigate the potential impact of the breach, Hugging Face recommends that all users refresh any keys or tokens associated with their accounts. They also advise switching to fine-grained access tokens, which are now the default and offer enhanced security features compared to the classic tokens.
Hugging Face has enlisted the expertise of external cybersecurity forensic specialists to assist in the investigation of this breach. This collaboration aims to uncover the root cause of the incident and ensure that comprehensive security measures are in place to prevent future occurrences.
In the wake of the breach, Hugging Face has implemented several significant improvements to the security of the Spaces infrastructure:
- Removal of Org Tokens: Organizational tokens have been completely removed, enhancing traceability and audit capabilities.
- Key Management Service (KMS): A KMS has been implemented for managing Spaces secrets, adding an additional layer of security.
- Token Leakage Detection: The system’s ability to identify and proactively invalidate leaked tokens has been robustified and expanded.
- General Security Enhancements: Across the board improvements have been made to strengthen the platform’s overall security posture.
Additionally, Hugging Face plans to phase out “classic” read and write tokens in favor of fine-grained access tokens, once the latter reaches feature parity. This transition is aimed at bolstering security and minimizing the risk of unauthorized access.
Original Source: https://securityonline.info/hugging-face-spaces-platform-hit-by-unauthorized-access/