Unknown People Fraudulently Accessed Spaces from AI Company ‘Hugging Face’

AI company Hugging Face has reported a security breach involving its Spaces platform, saying that unknown parties have accessed parts of its platform without authorization.

Hugging Face is responsible for a platform named Spaces that allows hosting and sharing of machine-learning models and applications. It can also be used to find other apps made by developers on Spaces.

"Earlier this week our team detected unauthorized access to our Spaces platform, specifically related to Spaces secrets," said the company in the advisory. "As a consequence, we have suspicions that a subset of Spaces' secrets could have been accessed without authorization."

"As a first step of remediation, we have revoked a number of HF tokens present in those secrets. Users whose tokens have been revoked already received an email notice. We recommend you refresh any key or token and consider switching your HF tokens to fine-grained access tokens which are the new default," the company added.

The company has yet to offer more details about the breach but said it's working with cybersecurity forensic specialists to investigate the problem, which may suggest they don’t know exactly how unknown parties had access to the platform.

Hugging Face also took several security measures following the security incident, including completely removing organizational tokens, implementing a key management service (KMS) for Spaces secrets and enhancing the system's ability to identify and invalidate leaked tokens.

Finally, the company is also planning on deprecating "classic" read-and-write tokens in the near future.