Hugging Face Spaces Platform Hit by Unauthorized Access

Hugging Face security breach

Hugging Face, a leading provider of open-source machine learning and AI tools, has disclosed a recent security breach affecting its Spaces platform. The incident, which was detected last week, involved unauthorized access to Spaces secrets, raising concerns about the potential exposure of sensitive information.

According to a statement from Hugging Face, their security team identified unauthorized access to the Spaces platform, specifically targeting Spaces secrets. This unauthorized access suggests that a subset of these secrets may have been compromised.

“Earlier this week our team detected unauthorized access to our Spaces platform, specifically related to Spaces secrets. As a consequence, we have suspicions that a subset of Spaces’ secrets could have been accessed without authorization,” warned Hugging Face.

In response, Hugging Face took immediate action by revoking many HF tokens associated with the potentially accessed secrets. Users impacted by this revocation have already been notified via email.

To mitigate the potential impact of the breach, Hugging Face recommends that all users refresh any keys or tokens associated with their accounts. They also advise switching to fine-grained access tokens, which are now the default and offer enhanced security features compared to the classic tokens.

Hugging Face has enlisted the expertise of external cybersecurity forensic specialists to assist in the investigation of this breach. This collaboration aims to uncover the root cause of the incident and ensure that comprehensive security measures are in place to prevent future occurrences.

In the wake of the breach, Hugging Face has implemented several significant improvements to the security of the Spaces infrastructure:

  • Removal of Org Tokens: Organizational tokens have been completely removed, enhancing traceability and audit capabilities.
  • Key Management Service (KMS): A KMS has been implemented for managing Spaces secrets, adding an additional layer of security.
  • Token Leakage Detection: The system’s ability to identify and proactively invalidate leaked tokens has been robustified and expanded.
  • General Security Enhancements: Across the board improvements have been made to strengthen the platform’s overall security posture.

Additionally, Hugging Face plans to phase out “classic” read and write tokens in favor of fine-grained access tokens, once the latter reaches feature parity. This transition is aimed at bolstering security and minimizing the risk of unauthorized access.