Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Artificial Intelligence

Secrets Exposed in Hugging Face Hack

AI tool development platform Hugging Face has detected a Spaces hack that resulted in the exposure of secrets.

Hugging Face hack

AI tool development company Hugging Face informed customers on Friday that it had detected unauthorized access to its Spaces platform. 

Hugging Face Spaces makes it easier for users to create and share machine learning (ML) applications and demos with others. 

According to the company, the unauthorized access to the Spaces platform may have exposed “a subset of Spaces’ secrets”. 

In response, it has revoked tokens present in the compromised secrets and it has notified impacted users.

“We recommend you refresh any key or token and consider switching your HF tokens to fine-grained access tokens which are the new default,” Hugging Face said in a blog post.

The company has called in external forensics experts to assist with the investigation, and it has notified law enforcement and data protection authorities.

“Over the past few days, we have made other significant improvements to the security of the Spaces infrastructure, including completely removing org tokens (resulting in increased traceability and audit capabilities), implementing key management service (KMS) for Spaces secrets, robustifying and expanding our system’s ability to identify leaked tokens and proactively invalidate them, and more generally improving our security across the board,” Hugging Face said.

“We also plan on completely deprecating ‘classic’ read and write tokens in the near future, as soon as fine-grained access tokens reach feature parity,” it added.

Advertisement. Scroll to continue reading.

In late 2023, an AI security startup discovered more than 1,600 Hugging Face API tokens exposed in code repositories, providing access to hundreds of organizations’ accounts.

Related: Critical Flaw in AI Python Package Can Lead to System and Data Compromise

Related: Eight Vulnerabilities Disclosed in the AI Development Supply Chain

Related: Critical Vulnerabilities Found in Open Source AI/ML Platforms

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

More People On The Move

Expert Insights