Hugging Face Cyber Attack Compromises User Tokens

The AI development platform ‘Hugging Face’ has issued a warning to users following reports of unauthorized access to its Spaces feature.

Cybercriminals allegedly targeted the ‘Space Secrets’ section of the Hugging which is responsible for housing the login credentials, though no named hacker or cyber group has yet claimed responsibility. 

“Earlier this week our team detected unauthorized access to our Spaces platform, specifically related to Spaces secrets," HuggingFace confirmed in a statement released on May 31st"

"As a consequence, we have suspicions that a subset of Spaces’ secrets could have been accessed without authorization.

The statement goes on to explain that the company has taken immediate action, including revoking ‘HF Tokens’, which are the access credentials used to interact with the Spaces platform.

Users who have been affected will receive an email to explain that their access credentials are no longer valid and need to be updated to ‘fine-grained access tokens.’

Hugging Face recommends that all users, not just those impacted, refresh any keys or tokens they use for the Spaces platform as a precautionary measure to ensure they're using the most secure credentials.

The statement also confirms that Hugging Face are now working with ‘outside cyber security forensic specialists’ to understand and investigate the extent of the issue as well as to review cyber security policies going forward.

They have also implemented additional security measures including ‘completely removing org tokens (resulting in increased traceability and audit capabilities), implementing key management service (KMS) for Spaces secrets, robustifying and expanding [their] system’s ability to identify leaked tokens and proactively invalidate them, and more generally improving [their] security across the board.”

What is Hugging Face?

Hugging Face develops tools for building applications that use machine learning (ML) and natural language processing. The company's platform, also known as the Hugging Face Hub, is a central location for machine learning resources and for fostering collaboration and exploration in the field. 

This hub boasts over 350,000 machine learning models, 75,000 datasets, and 150,000 demo applications, all of which are open source, meaning anyone can use them.

The platform is designed to encourage a community driven approach to artificial intelligence, allowing users to share their own ML models and datasets, collaborate on projects and build on each other's ideas.

Hugging Face Spaces is a specific feature within the platform that caters to sharing and showcasing machine learning applications by allowing users to easily deploy and share their machine learning models as interactive web applications.

Developers can use Spaces to showcase their work, present projects to stakeholders, or even build a portfolio of their machine-learning skills.

Spaces aims to simplify the process of deploying AI models. It integrates with popular libraries like Streamlit and Gradio, allowing users to build interfaces with minimal coding effort.

Spaces are accessible through a web browser, making it easy for others to interact with your machine learning models without needing to install any special software. 

What To Do If you are Affected by the Hugging Face Cyber Attack?

If your HF tokens have been compromised during the Hugging Face cyber attack you will receive an email from Hugging Face’s support team to let you know that your credentials are no longer valid and will need to be updated to the new default ‘fine-grained access tokens.’

However, Hugging Face recommends that all users refresh keys and tokens used for the Spaces platform as a precautionary measure.

Ensure you are vigilant about any upcoming potential phishing emails. Scammers might use the attack to send emails pretending to be Hugging Face.

These emails could attempt to trick you into revealing personal information or clicking on dangerous links. Don't click on links or attachments in suspicious emails, and be wary of emails urging immediate action.

The Hugging Face cyber attack is the latest in a string of major threats in recent days, with the large-scale; e-ticket-selling platforms Ticketmaster and Ticketek also falling victim to data breaches in the past week. 

 Individuals and businesses must practice good cyber security hygiene going forward by ensuring that no passwords are reused and setting up multi-factor authentication.

This adds an extra layer of protection to your accounts, making it much harder for hackers to gain access. MFA requires you to provide two or more pieces of evidence to verify your identity when you log in.