Late Friday afternoon, a time period that companies typically reserve for inappropriate disclosures, AI startup Hugging Face said that earlier this week its security team detected “unauthorized access” to Spaces, Hugging Face’s platform for creating, sharing, and hosting AI models and resources.
one of blog postHugging Face said the intrusion is related to Spaces secrets, or private pieces of information that act as keys to unlock protected resources like accounts, devices and dev environments, and that they “suspect” some of the secrets may have been accessed by a third party without authorization.
As a precaution, Hugging Face has revoked many of those secrets tokens. (The tokens are used to verify identity.) Hugging Face says users who have had their tokens revoked have already received an email notice and it recommends that all users “refresh any keys or tokens” and consider switching to fine-grained access tokens, which Hugging Face claims are more secure.
It was not immediately clear how many users or apps were affected by the potential breach.
“We are working with external cybersecurity forensic experts to investigate the issue as well as reviewing our security policies and procedures. We have also reported the incident to law enforcement agencies and data [sic] “Our deepest condolences go out to the security officials,” Hugging Face wrote in the post. “We deeply regret the trouble this incident has caused and we understand how much inconvenience it must have caused you. We pledge to use this opportunity to strengthen the security of our entire infrastructure.”
In an emailed statement, a Hugging Face spokesperson told TechCrunch:
“We are seeing a significant increase in the number of cyber attacks in the last few months, probably because our usage is increasing significantly and AI is becoming more mainstream. It is technically difficult to know how many places’ secrets have been compromised.”
The potential hacking of Spaces comes at a time when Hugging Face, one of the largest platforms for collaborative AI and data science projects with over one million models, data sets, and AI-powered apps, is facing growing scrutiny over its security practices.
In April, researchers at cloud security firm Wiz found that Vulnerability — now fixed — allowed attackers to execute arbitrary code during build time of Hugging Face-hosted apps, allowing them to probe network connections to their machines. Earlier this year, security firm J.Frog reported a vulnerability in the Hugging Face app. open There is evidence that code uploaded to Hugging Face has secretly installed backdoors and other types of malware on end-user machines. And security startup HiddenLayer has identified ways to exploit Hugging Face’s secure serialization format, SafeTensor. Abuse To create sabotage AI models.
hugging face Recently said It will partner with Viz to use the company’s vulnerability scanning and cloud environment configuration tools “with the goal of improving security across our platform and the AI/ML ecosystem at large.”
hugging-face-says-it-detected-unauthorized-access-to-its-ai-model-hosting-platform-techcrunch
