Hugging Face detects unauthorized access to the AI ​​model hosting platform

Late Friday, a time companies often use to announce bad news, artificial intelligence (AI) startup Hugging Face said its security team had detected “unauthorized access” to Spaces – Hugging Face’s platform for building, sharing, and hosting AI models and resources.

In a blog post , Hugging Face said that the intrusion involved “space secrets” – private pieces of information that act as keys to unlock protected resources such as accounts, tools and development environment. Hugging Face “suspects” some secrets may have been accessed by unauthorized third parties.

As a precaution, Hugging Face destroyed some tokens (used for identity verification) in those passwords. Hugging Face said users whose tokens were revoked received notification emails and recommended that all users “re-update any keys or tokens” and consider switching to access tokens details – the type that Hugging Face considers safer.

It is unclear how many users or applications are affected by this potential security vulnerability.

“We are working with external cybersecurity forensic experts to investigate the matter and review our security policies and procedures. We have also reported this incident to the appropriate authorities.” law enforcement and data protection agencies,” Hugging Face wrote in the post. “We regret the disruption this incident may cause and understand the inconvenience it may cause you. We are committed to using this as an opportunity to enhance the security of all its infrastructure.”

In an email statement, a Hugging Face spokesperson said: “The number of cyberattacks has increased significantly over the past few months, likely due to our user base growing significantly and AI becoming more effective. should be more common. Technically, it’s difficult to know exactly how many space secrets have been breached.”

The possible Spaces hack comes as Hugging Face – one of the largest platforms for collaborative AI and data science projects with over a million models, datasets and applications running on AI – is facing increasing scrutiny over its privacy practices.

This past April, researchers at cloud security company Wiz found a (patched) vulnerability that allowed attackers to execute arbitrary code during the build time of an application hosted on Hugging. Face, allowing them to test network connections from their device. Earlier this year, security firm JFrog discovered evidence that code uploaded to Hugging Face covertly installed backdoors and other types of malware on end-user machines. And security startup HiddenLayer has identified ways in which Hugging Face’s more secure serial format, Safetensors, could be exploited to create destructive AI models.

Hugging Face recently said They will work with Wiz to use the company’s vulnerability scanning and cloud environment configuration tools “with the goal of improving security across our platform and the overall AI/ML ecosystem.” “.