Hugging Face AI platform reports breach of authentication secrets of its Spaces platform

AI platform Hugging Face reports a security breach that compromised the authentication secrets of its Spaces platform, which is a repository for user-created AI applications.

The unauthorized access was detected earlier in the week starting on 27th May. Hugging Face has revoked the compromised authentication tokens and notified affected users via email. The company strongly recommends that all users refresh their tokens and switch to fine-grained access tokens to enhance security and control over AI model access.

Hugging Face has engaged external cybersecurity experts to investigate the incident, report it to law enforcement, and inform data protection agencies.

In the aftermath, the platform has implemented several security enhancements, including:

• Completely removing organization tokens to improve traceability and audit capabilities.
• Implementing a Key Management Service (KMS) for managing Spaces secrets.
• Enhancing the system’s ability to detect and proactively invalidate leaked tokens.
• Planning to deprecate “classic” read and write tokens in favor of fine-grained access tokens once they achieve feature parity.

The number of affected users and the nature of the attack is not disclosed.

Hugging Face claims that they continue to investigate the breach and are committed to improving security across its platform.