{"id":101430,"date":"2024-05-31T21:51:49","date_gmt":"2024-05-31T21:51:49","guid":{"rendered":"https:\/\/entertainment.runfyers.com\/index.php\/2024\/05\/31\/hugging-face-says-it-detected-unauthorized-access-to-its-ai-model-hosting-platform-techcrunch\/"},"modified":"2024-05-31T21:51:49","modified_gmt":"2024-05-31T21:51:49","slug":"hugging-face-says-it-detected-unauthorized-access-to-its-ai-model-hosting-platform-techcrunch","status":"publish","type":"post","link":"https:\/\/entertainment.runfyers.com\/index.php\/2024\/05\/31\/hugging-face-says-it-detected-unauthorized-access-to-its-ai-model-hosting-platform-techcrunch\/","title":{"rendered":"Hugging Face says it detected &#8216;unauthorized access&#8217; to its AI model hosting platform | TechCrunch"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p class=\"wp-block-paragraph\">Late Friday afternoon, a time window companies usually reserve for unflattering disclosures, AI startup Hugging Face said that its security team earlier this week detected \u201cunauthorized access\u201d to Spaces, Hugging Face\u2019s platform for creating, sharing and hosting AI models and resources.<\/p>\n<p class=\"wp-block-paragraph\">In a <a href=\"https:\/\/huggingface.co\/blog\/space-secrets-disclosure\" target=\"_blank\" rel=\"noopener\">blog post<\/a>, Hugging Face said that the intrusion related to Spaces secrets, or the private pieces of information that act as keys to unlock protected resources like accounts, tools and dev environments, and that it has \u201csuspicions\u201d some secrets could\u2019ve been accessed by a third party without authorization. <\/p>\n<p class=\"wp-block-paragraph\">As a precaution, Hugging Face has revoked a number of tokens in those secrets. (Tokens are used to verify identities.) Hugging Face says that users whose tokens have been revoked have already received an email notice and is recommending that all users \u201crefresh any key or token\u201d and consider switching to fine-grained access tokens, which Hugging Face claims are more secure.<\/p>\n<p class=\"wp-block-paragraph\">It wasn\u2019t immediately clear how many users or apps were impacted by the potential breach.<\/p>\n<p class=\"wp-block-paragraph\">\u201cWe are working with outside cyber security forensic specialists, to investigate the issue as well as review our security policies and procedures. We have also reported this incident to law enforcement agencies and Data [sic] protection authorities,\u201d Hugging Face wrote in the post. \u201cWe deeply regret the disruption this incident may have caused and understand the inconvenience it may have posed to you. We pledge to use this as an opportunity to strengthen the security of our entire infrastructure.\u201d<\/p>\n<p class=\"wp-block-paragraph\">In an emailed statement, a Hugging Face spokesperson told TechCrunch: <\/p>\n<p class=\"wp-block-paragraph\">\u201cWe\u2019ve been seeing the number of cyberattacks increase significantly in the past few months, probably because our usage has been growing significantly and AI is becoming more mainstream. It\u2019s technically difficult to know how many spaces secrets have been compromised.\u201d<\/p>\n<p class=\"wp-block-paragraph\">The possible hack of Spaces comes as Hugging Face, which is among the largest platforms for collaborative AI and data science projects with over one million models, data sets and AI-powered apps, faces increasing scrutiny over its security practices. <\/p>\n<p class=\"wp-block-paragraph\">In April, researchers at cloud security firm Wiz found a <a href=\"https:\/\/www.darkreading.com\/cloud-security\/critical-bugs-hugging-face-ai-platform-pickle\" target=\"_blank\" rel=\"noopener\">vulnerability<\/a> \u2014 since fixed \u2014 that would allow attackers to execute arbitrary code during a Hugging Face-hosted app\u2019s build time that\u2019d let them examine network connections from their machines. Earlier in the year, security firm JFrog <a href=\"https:\/\/arstechnica.com\/security\/2024\/03\/hugging-face-the-github-of-ai-hosted-code-that-backdoored-user-devices\/\" target=\"_blank\" rel=\"noopener\">uncovered<\/a> evidence that code uploaded to Hugging Face covertly installed backdoors and other types of malware on end-user machines. And security startup HiddenLayer identified ways Hugging Face\u2019s ostensibly safer serialization format, Safetensors, could be <a href=\"https:\/\/go.skimresources.com\/?id=100098X1555750&amp;isjs=1&amp;jv=15.7.0&amp;sref=https%3A%2F%2Farstechnica.com%2Fsecurity%2F2024%2F03%2Fhugging-face-the-github-of-ai-hosted-code-that-backdoored-user-devices%2F&amp;url=https%3A%2F%2Fhiddenlayer.com%2Fresearch%2Fsilent-sabotage%2F&amp;xs=1&amp;xtz=240&amp;xuuid=874ee97460f59add3a198f578a496a33&amp;abp=1&amp;xjsf=other_click__contextmenu%20%5B2%5D\" target=\"_blank\" rel=\"noopener\">abused<\/a> to create sabotaged AI models.<\/p>\n<p class=\"wp-block-paragraph\">Hugging Face <a href=\"https:\/\/huggingface.co\/blog\/hugging-face-wiz-security-blog\" target=\"_blank\" rel=\"noopener\">recently said<\/a> that it would partner with Wiz to use the company\u2019s vulnerability scanning and cloud environment configuration tools \u201cwith the goal of improving security across our platform and the AI\/ML ecosystem at large.\u201d<\/p>\n<\/div>\n<p><br \/>\n<br \/><a href=\"https:\/\/techcrunch.com\/2024\/05\/31\/hugging-face-says-it-detected-unauthorized-access-to-its-ai-model-hosting-platform\/\" target=\"_blank\" rel=\"noopener\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Late Friday afternoon, a time window companies usually reserve for unflattering disclosures, AI startup Hugging Face said that its security team earlier this week detected \u201cunauthorized access\u201d to Spaces, Hugging Face\u2019s platform for creating, sharing and hosting AI models and resources. In a blog post, Hugging Face said that the intrusion related to Spaces secrets, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":101431,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14],"tags":[],"class_list":{"0":"post-101430","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-tech"},"_links":{"self":[{"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/posts\/101430","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/comments?post=101430"}],"version-history":[{"count":0,"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/posts\/101430\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/media\/101431"}],"wp:attachment":[{"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/media?parent=101430"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/categories?post=101430"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/tags?post=101430"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}