Hugging Face Breach

NHI Mgmt Group

Overview

In early June 2024, Hugging Face, which is considered as a leading company and AI platform, announced a security breach targeting its Spaces Platform. This platform enables users to build and host AI applications. The incident included unauthorized access to authentication secrets (API keys and tokens), which could lead to the compromise of sensitive data and disrupt workflows. As a response to this incident, Hugging Face implemented immediate mitigation measures and conducted a full incident investigation with the help of cybersecurity experts.

Key Points

Nature of the Breach

  • The attacker gained unauthorized access to Spaces secrets that are stored on Hugging Face’s platform, these secrets include authentication tokens, such as Hugging Face tokens that are used by the developers and organizations to access APIs and services.

Possible Impact

  • The attacker could make use of the Secrets related to Hugging Face’s Spaces platform, which supports hosting, deploying, and sharing AI/ML models and applications to gain access to private AI models, datasets, or configurations which may lead to a massive disruption in production.

Detection and Response

Hugging Face was able to detect the breach earlier through a suspicious activity which indicated potential unauthorized access and took immediate action as follows:

  • Hugging Face successfully revoked the compromised tokens and informed the affected users through email.

  • The users were advised to refresh their keys or tokens and switch to fine-grained access tokens which offer better security.

Security Enhancements

Hugging Face made significant security enhancements to the Spaces infrastructure to avoid and reduce any possible attacks in the future.

These enhancements include:

  • Implementing key management service (KMS) for better secrets management.

  • The removal of the organization’s token to improve traceability and audit capabilities.

  • Replacing traditional tokens with fine-grained ones to restrict permissions and offer more security to the developers.

Conclusion

This incident showed us the importance of strong and robust security measures to defend against Attackers, especially with the evolving of the AI sector, with AI-as-a-service (AIaaS) which became a prime target for threat actors to exploit any vulnerabilities for malicious purposes.

About Contact Glossary

Terms & Conditions Privacy policy

Non-Human Identity Mgmt Group

The Non-Human Identity Management Group is a community focussed solely on helping solve the huge industry challenge around helping organisations manage and secure Non-Human / Machine Identity Risks

Subscribe to our Newsletter

Subscribe

© 2024