Hugging Face has reported a security breach on its Spaces platform, resulting in unauthorized access to certain authentication secrets. Spaces, a hub for user-generated AI applications, was specifically targeted the company reports.
The incident came to light earlier this week, and Hugging Face disclosed in a blog post that a collection of these sensitive content might have been accessed without authorization. As a safety measure, the company has revoked the compromised tokens and notified affected users via email. Users are encouraged to refresh their tokens and switch to fine-grained access tokens for enhanced control over AI model access.
Enhanced Security Measures Implemented
In response, Hugging Face has collaborated with external cybersecurity experts to probe the incident. The company has also informed law enforcement and data protection agencies. Security enhancements include eliminating organization tokens for better traceability, introducing a key management service (KMS) for handling Spaces secrets, and updating systems to identify and invalidate leaked tokens proactively.
Hugging Face will eventually phase out “classic” read and write tokens with fine-grained access tokens after achieving feature parity. The company remains committed to strengthening security across its infrastructure and is continuing to investigate any related incidents.
Previous Security Incidents
Hugging Face's increasing popularity has made it an appealing target for cyber threats. In February, cybersecurity firm JFrog uncovered approximately 100 malicious AI and machine learning models on the platform. These models aimed to execute harmful code on victims' systems, with one model even enabling remote access through a reverse shell.
More recently, researchers at Wiz found a vulnerability that allowed custom models to be uploaded and exploited, leading to cross-tenant access to other users' models. Hugging Face is actively addressing these security challenges to safeguard its community and infrastructure.
Company Response and Future Measures
Hugging Face has expressed regret for the disruption caused by the breach and vowed to improve the security of its infrastructure. “We deeply regret the disruption this incident may have caused and understand the inconvenience it may have posed to you,” the company says. Users with further questions are encouraged to contact [email protected].
As investigations continue, Hugging Face is on alert for any additional security threats. The platform's renewed focus on security aims to assure its users and developers. This incident highlights the need for strong cybersecurity practices in the evolving fields of artificial intelligence and machine learning.