Earlier this week our team detected unauthorized access to our Spaces platform, specifically related to Spaces secrets. As a consequence, we’ve got suspicions that a subset of Spaces’ secrets might have been accessed without authorization.
As a primary step of remediation, we’ve got revoked numerous HF tokens present in those secrets. Users whose tokens have been revoked already received an email notice. We recommend you refresh any key or token and consider switching your HF tokens to fine-grained access tokens that are the brand new default.
We’re working with outside cyber security forensic specialists, to research the problem in addition to review our security policies and procedures.
Over the past few days, we’ve got made other significant improvements to the safety of the Spaces infrastructure, including completely removing org tokens (leading to increased traceability and audit capabilities), implementing key management service (KMS) for Spaces secrets, robustifying and expanding our system’s ability to discover leaked tokens and proactively invalidate them, and more generally improving our security across the board. We also plan on completely deprecating “classic” read and write tokens within the near future, as soon as fine-grained access tokens reach feature parity. We are going to proceed to research any possible related incident.
Finally, we’ve got also reported this incident to law enforcement agencies and Data protection authorities.
We deeply regret the disruption this incident can have caused and understand the inconvenience it can have posed to you. We pledge to make use of this as a chance to strengthen the safety of our entire infrastructure. For any query, please contact us at security@huggingface.co.
