AI tool development company Hugging Face recently informed its customers about unauthorized access to its Spaces platform, which is designed to facilitate the creation and sharing of machine learning (ML) applications and demos. The company stated that the breach may have exposed a subset of Spaces’ secrets, prompting them to revoke tokens associated with compromised secrets and notify affected users.
In response to the security incident, Hugging Face recommended users to refresh any key or token and switch to fine-grained access tokens, which are now the default option. The company also enlisted external forensics experts to aid in the investigation and has reported the breach to law enforcement and data protection authorities.
Furthermore, Hugging Face outlined several security enhancements implemented in the aftermath of the breach, including the removal of org tokens for increased traceability and audit capabilities, the implementation of a key management service (KMS) for Spaces secrets, and the reinforcement of the system’s ability to identify and invalidate leaked tokens proactively. The company also announced plans to phase out ‘classic’ read and write tokens in favor of fine-grained access tokens once they achieve feature parity.
This incident comes on the heels of a discovery made by an AI security startup in late 2023, where over 1,600 Hugging Face API tokens were found exposed in code repositories, potentially granting unauthorized access to numerous organizations’ accounts. The cybersecurity community has been increasingly vigilant about vulnerabilities in AI development platforms, as evidenced by recent disclosures of critical flaws in open-source AI/ML platforms.
As Hugging Face works to address the breach and enhance its security measures, the incident serves as a reminder of the importance of robust cybersecurity practices in the rapidly evolving field of artificial intelligence. Customers and stakeholders are advised to follow the company’s recommendations for securing their accounts and stay informed about any further developments in the investigation.