AI platform Hugging Face says hackers stole auth tokens from Spaces

AI platform Hugging Face says that its Spaces platform was breached, allowing hackers to access authentication secrets for its members.
Hugging Face Spaces is a repository of AI apps created and submitted by the community's users, allowing other members to demo them.
Hugging Face says they have already revoked authentication tokens in the compromised secrets and have notified those impacted by email.
They recommend that all Hugging Face Spaces users refresh their tokens and switch to fine-grained access tokens, which allow organizations to have tighter control over who has access to their AI models.
The company is working with external cybersecurity experts to investigate the breach and report the incident to law enforcement and data protection agencies.
The AI platform says they have been tightening security over the past few days due to the incident.
We will continue to investigate any possible related incident.
As Hugging Face grows in popularity, it has also become a target for threat actors, who attempt to abuse it for malicious activities.
In February, cybersecurity firm JFrog found approximately 100 instances of malicious AI ML models used to execute malicious code on a victim's machine.
One of the models opened a reverse shell that allowed a remote threat actor to access a device running the code.
More recently, security researchers at Wiz discovered a vulnerability that allowed them to upload custom models and leverage container escapes to gain cross-tenant access to other customers' models.
Malicious AI models on Hugging Face backdoor users' machines.
Ascension redirects ambulances after suspected ransomware attack.
Ascension healthcare takes systems offline after cyberattack.
Snowflake account hacks linked to Santander, Ticketmaster breaches.
Ticketmaster confirms massive breach after stolen data for sale online.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 02 Jun 2024 21:00:10 +0000


Cyber News related to AI platform Hugging Face says hackers stole auth tokens from Spaces

Hugging Face dodged a cyber-bullet with Lasso Security's help - Further validating how brittle the security of generative AI models and their platforms are, Lasso Security helped Hugging Face dodge a potentially devastating attack by discovering that 1,681 API tokens were at risk of being compromised. The tokens ...
6 months ago Venturebeat.com
Meta AI Models Cracked Open With Exposed API Tokens - Researchers recently were able to get full read and write access to Meta's Bloom, Meta-Llama, and Pythia large language model repositories in a troubling demonstration of the supply chain risks to organizations using these repositories to integrate ...
6 months ago Darkreading.com
Exposed Hugging Face API tokens jeopardized GenAI models - Lasso Security researchers discovered 1,681 Hugging Face API tokens exposed in code repositories, which left vendors such as Google, Meta, Microsoft and VMware open to potential supply chain attacks. In a blog post published Monday, Lasso Security ...
6 months ago Techtarget.com
AI platform Hugging Face says hackers stole auth tokens from Spaces - AI platform Hugging Face says that its Spaces platform was breached, allowing hackers to access authentication secrets for its members. Hugging Face Spaces is a repository of AI apps created and submitted by the community's users, allowing other ...
1 week ago Bleepingcomputer.com
Exposed Hugging Face APIs Opened AI Models to Cyberattacks - Security flaws found in both Hugging Face and GitHub repositories exposed almost 1,700 API tokens, opening up AI developers to supply chain and other attacks and putting a brighter spotlight on the need to ensure that security keeps up with the ...
6 months ago Securityboulevard.com
Major Organizations Using 'Hugging Face' AI Tools Put at Risk by Leaked API Tokens - AI cybersecurity startup Lasso has discovered more than 1,600 valid Hugging Face API tokens exposed in code repositories, providing access to hundreds of organizations' accounts. Leaked secrets, such as tokens, have long been the focus of ...
6 months ago Securityweek.com
Hugging Face API tokens exposed, major projects vulnerable The Register - The API tokens of tech giants Meta, Microsoft, Google, VMware, and more have been found exposed on Hugging Face, opening them up to potential supply chain attacks. Researchers at Lasso Security found more than 1,500 exposed API tokens on the open ...
6 months ago Go.theregister.com
In the rush to build AI apps, don't leave security behind The Register - There are countless models, libraries, algorithms, pre-built tools, and packages to play with, and progress is relentless. You'll typically glue together libraries, packages, training data, models, and custom source code to perform inference tasks. ...
2 months ago Go.theregister.com
Why Tokens Are Like Gold for Opportunistic Threat Actors - COMMENTARY. Authentication tokens aren't actual physical tokens, of course. Authentication tokens are an important part of cybersecurity. Which means that anyone with a token has a gold key to corporate systems - without requiring a multifactor ...
1 month ago Darkreading.com
ML Model Repositories: The Next Big Supply Chain Attack Target - The techniques are similar to ones that attackers have successfully used for years to upload malware to open source code repositories, and highlight the need for organizations to implement controls for thoroughly inspecting ML models before use. ...
2 months ago Darkreading.com
Microsoft unveils Face Check for secure identity verification - Microsoft today announced the launch of Face Check, a new facial recognition feature for its Entra Verified ID digital identity platform. Face Check allows businesses to match a user's selfie to their government ID or employee credentials, providing ...
4 months ago Venturebeat.com
Hugging Face's AI Supply Chain Escapes Near Breach by Hackers - A recent report from VentureBeat reveals that HuggingFace, a prominent AI leader specializing in pre-trained models and datasets, narrowly escaped a potential devastating cyberattack on its supply chain. The incident underscores existing ...
6 months ago Cysecurity.news
Former Uber CISO Speaks Out, After 6 Years, on Data Breach, SolarWinds - Joe Sullivan arrived at his sentencing hearing on May 4 this year, prepared to go to jail had the judge not gone with a parole board's recommendation of probation. A federal jury convicted the former Uber CISO months earlier on two charges of fraud ...
6 months ago Darkreading.com
Protect AI Unveils Gateway to Secure AI Models - Protect AI today launched a Guardian gateway that enables organizations to enforce security policies to prevent malicious code from executing within an artificial intelligence model. Guardian is based on ModelScan, an open source tool from Protect AI ...
4 months ago Securityboulevard.com
Microsoft Adds Face Check to Entra Verified ID - Microsoft has added facial matching to its Entra Verified ID service, which lets organizations create and issue verifiable credentials to validate claims such as employment, education, certifications, and residence. The new Face Check feature is ...
4 months ago Darkreading.com
Generative AI Takes on SIEM - With more vendors adding support for generative AI to their platforms and products, life for security analysts seems to be getting deceptively easier. While adding generative AI capabilities to security information and event management is still in ...
6 months ago Darkreading.com
Rootkit Turns Kubernetes from Orchestration to Subversion - As software development focuses on continuous integration and deployment, orchestration platforms like Kubernetes have taken off, but that popularity has put them in attackers' crosshairs. Most successful attacks - at least those publicly reported - ...
6 months ago Darkreading.com
HackerOne paid ethical hackers over $300 million in bug bounties - HackerOne has announced that its bug bounty programs have awarded over $300 million in rewards to ethical hackers and vulnerability researchers since the platform's inception. Thirty hackers have earned over a million USD for their submissions, and ...
6 months ago Bleepingcomputer.com
CVE-2022-36407 - Insertion of Sensitive Information into Log File vulnerability in Hitachi Virtual Storage Platform, Hitachi Virtual Storage Platform VP9500, Hitachi Virtual Storage Platform G1000, G1500, Hitachi Virtual Storage Platform F1500, Hitachi Virtual ...
2 months ago
CISA orders agencies impacted by Microsoft hack to mitigate risks - CISA has issued a new emergency directive ordering U.S. federal agencies to address risks resulting from the breach of multiple Microsoft corporate email accounts by the Russian APT29 hacking group. It requires them to investigate potentially ...
2 months ago Bleepingcomputer.com
What Is OAuth 2.0? - Scope of Access: Before OAuth, the meal planning app might have access to data that the user did not actually wish to share. No Way to Revoke Access: Before OAuth, the user could not easily restrict or revoke the meal planning app's access to their ...
5 months ago Feeds.dzone.com
How Hackers Interrupted GTA 5 Online Gameplay on PC - Recently, a cyber-attack on Grand Theft Auto 5 Online on PC caused an interruption to thousands of players’ gameplays. The game was completely taken offline and players couldn’t even access the main gameplay menu. The attack caused an uproar ...
1 year ago Hackread.com
Over 12 million auth secrets and keys leaked on GitHub in 2023 - GitHub users accidentally exposed 12.8 million authentication and sensitive secrets in over 3 million public repositories during 2023, with the vast majority remaining valid after five days. The exposed secrets include account passwords, API keys, ...
3 months ago Bleepingcomputer.com
Booking.com hackers increase attacks on customers - Hackers are increasing their attacks on Booking.com customers by posting adverts on dark web forums asking for help finding victims. Cyber-criminals are offering up to $2,000 for login details of hotels as they continue to target the people who are ...
6 months ago Bbc.com
Make Your Buildings Smarter with Cisco Spaces Cloud - With Cisco Spaces your existing network infrastructure becomes a sensor that allows you to extract network data to make your buildings smarter. Cisco Spaces Firehose API. Designed for the cloud-first era, the Firehose API offers a low-latency, ...
2 weeks ago Feedpress.me

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)