After the SnowFlake Data Breach, Hugging Face notifies users of a data breach resulting from unauthorized access.
What Happened in the Hugging Face Security Breach?
Artificial intelligence (AI) company Hugging Face notified users on June 1st, 2024 of a security incident where unauthorized access was detected on its Spaces platform. Spaces is a community repository that allows users to create, host and share AI/ML applications.
Hugging Face stated that it has “suspicions that a subset of Spaces’ secrets could have been accessed without authorization.” In response, they revoked a number of authentication tokens that were present in the compromised secrets. The company emailed all impacted users to notify them and recommend they refresh any keys or tokens.
The full scope of the Hugging Face Breach is still under investigation. However, it appears an unauthorized actor was able to gain access to some Spaces secrets, which could have compromised private AI models, datasets or applications submitted by users. Hugging Face alerted relevant law enforcement and data protection authorities about the incident.
Recommended Steps in Response to the Hugging Face Hack
In its notice to users, Hugging Face recommended several steps to help protect against impact from the security breach:
- Refresh any access keys or tokens that could have been exposed. This will invalidate compromised credentials.
- Consider switching to “fine-grained access tokens”, which provide more restricted access control. Fine-grained tokens have now become the default on Spaces.
- Be aware that some “HF Tokens” used for authentication may have been revoked if they were present in compromised secrets. Users receiving token revocation emails should take appropriate follow-up action.
Hugging Face also made security improvements on Spaces like removing blanket organizational tokens and implementing key management services to better secure secrets moving forward.
Similar Incident Reported at Snowflake Platform
In a separate but related incident, cloud data platform Snowflake also reported a targeted cyberattack where credentials of a former employee account were compromised. This led to unauthorized access of some customer accounts. Like Hugging Face, Snowflake is investigating the full scope and working with cybersecurity experts.
The growing use of AI/ML platforms and data clouds makes them a target for hackers looking to steal sensitive models, data or intellectual property. Both Hugging Face and Snowflake demonstrate the ongoing need for strong access controls, secrets management and prompt incident response. Users should carefully evaluate access privileges and take steps to protect authentication mechanisms.
The Hugging Face Breach highlights the security risks within growing open-source AI communities. Proper investigation may reveal stolen secrets led to direct access without authorization. All Hugging Face users should follow the recommended steps to refresh or switch tokens in response.
