Hugging Face Spaces Breach Exposes User Authentication Secrets, Prompting Security Overhaul

Hugging Face reported a breach in its Spaces platform, exposing authentication secrets of its users to hackers.

The Spaces platform serves as a community-driven repository for AI applications, enabling members to demo and share their creations.

In a recent blog post, Hugging Face disclosed that unauthorized access to the Spaces platform was detected, specifically targeting Spaces secrets. The company suspects that some of these secrets may have been compromised.

In response, Hugging Face has revoked the affected authentication tokens and informed impacted users via email. They also advise all Spaces users to refresh their tokens and adopt fine-grained access tokens for better control over AI model access.

The company is collaborating with external cybersecurity experts to investigate the breach and has reported the incident to law enforcement and data protection agencies.

To enhance security, Hugging Face has made several improvements, including eliminating org tokens for better traceability, implementing a key management service for Spaces secrets, and enhancing the system’s ability to detect and invalidate leaked tokens. They plan to phase out “classic” read and write tokens once fine-grained access tokens are fully implemented.

As Hugging Face gains popularity, it has increasingly become a target for cyber threats. In February, cybersecurity firm JFrog identified around 100 malicious AI models on the platform, some of which executed harmful code on users’ machines. More recently, researchers at Wiz found a vulnerability allowing them to upload custom models and exploit container escapes for cross-tenant access to other users’ models.

Happy Hunting!

— TheRealThreatHuntress