Last week, Hugging Face discovered unauthorized access to its Spaces platform, which is used for creating, exchanging, and deploying II models and resources. In a blog post, Hugging Face revealed that the breach involved the exposure of Spaces secrets, including private data used to access secure resources like accounts, tools, and the developer environment. There are concerns that some of these secrets may have been accessed by unauthorized parties.
As a precautionary measure, Hugging Face revoked a number of tokens associated with these secrets (tokens are utilized for identity verification). Users affected by the token recall have been notified via email. Hugging Face advises all users to update their keys or tokens and consider switching to more secure tokens with tighter access controls.
The extent of the impact on users or applications from the potential breach is currently unclear. Hugging Face disclosed that the company is collaborating with external cybersecurity experts to investigate the incident and enhance its security protocols. The breach has also been reported to law enforcement and data protection authorities.
Additionally, Hugging Face informed TechCrunch that there has been a notable uptick in cyber threats in recent months, potentially linked to the platform’s increased usage and the growing popularity of AI technology. The company expressed challenges in determining the full scope of compromised Spaces secrets.
The breach of Spaces comes at a time when Hugging Face, a prominent platform for collaborative AI and data science projects, is under heightened scrutiny regarding its security practices. In April, researchers from cybersecurity firm Wiz identified two critical vulnerabilities in Hugging Face that could enable attackers to escalate privileges, access other customers’ models, and manipulate CI/CD processes.