Secrets Exposed in Hugging Face Hack

Secrets Exposed in Hugging Face Hack

June 3, 2024 at 04:07AM

Hugging Face, an AI tool development company, reported unauthorized access to its Spaces platform, potentially exposing a subset of Spaces’ secrets. The company has revoked compromised tokens, advised users to refresh keys and switch to fine-grained access tokens, and engaged external forensics experts. It has also made significant security improvements to its infrastructure.

Key Takeaways from the Meeting Notes:

– Hugging Face informed its customers of unauthorized access to its Spaces platform, potentially exposing a subset of Spaces’ secrets.
– The company has revoked tokens present in the compromised secrets and advised impacted users to refresh their key or token, and consider switching to fine-grained access tokens.
– External forensics experts have been engaged for the investigation, and both law enforcement and data protection authorities have been notified.
– Significant security improvements have been made to the Spaces infrastructure, including the removal of org tokens, implementation of a key management service for Spaces secrets, and enhancing the system’s ability to identify and invalidate leaked tokens.
– There are plans to deprecate ‘classic’ read and write tokens in the near future, with a shift towards fine-grained access tokens.

Advertisements:
– An AI security startup discovered over 1,600 Hugging Face API tokens exposed in code repositories, potentially providing access to hundreds of organizations’ accounts.
– Several critical vulnerabilities in AI development supply chain and open source AI/ML platforms have been disclosed.

Full Article