Hugging Face, a popular data science community and development platform, recently made headlines after issuing a security disclosure regarding its Spaces platform. The platform, where users can create and deploy machine learning-powered applications, was found to have been compromised, exposing users’ secrets such as tokens, API keys, and sensitive credentials.
The company detected unauthorized access to its Spaces platform earlier in the week, leading to suspicions that a subset of users’ secrets may have been accessed without authorization. In response, Hugging Face reported the incident to law enforcement and data protection authorities, and is currently working with forensic specialists to investigate the breach further.
As a precautionary measure, Hugging Face revoked several tokens associated with the exposed secrets and notified affected users via email. While the exact number of affected users is unknown, the company advised all users to reset their keys or tokens and switch to fine-grained access tokens for better security.
Following the breach, Hugging Face implemented several security enhancements to fortify its Spaces infrastructure. These measures included removing organization access tokens, improving traceability and audit capabilities, and expanding the system’s ability to proactively identify and invalidate any leaked tokens. The company also announced plans to deprecate ‘classic’ read and write tokens in favor of fine-grained access tokens in the near future.
This incident marks the second security breach involving Hugging Face tokens in the past six months. In December, more than 1,600 exposed Hugging Face API tokens were discovered by cybersecurity firm Lasso Security, posing a supply chain security risk to major organizations like Google, Meta, and Microsoft.
TechTarget Editorial reached out to Hugging Face for comment on the recent security breach, but the company had not responded at the time of publication.
In conclusion, Hugging Face users are advised to reset their keys and tokens immediately and stay vigilant for any suspicious activity on their accounts. The company’s proactive response to the breach demonstrates its commitment to securing user data and preventing future incidents.