猫猫被 HuggingFace 发来的邮件吓到了,故发贴
HuggingFace Spaces 的令牌疑似泄露
译:
本周早些时候,我们的团队检测到对Spaces平台的未经授权访问,特别是与Spaces机密信息有关的访问。因此,我们怀疑部分Spaces机密信息可能已经被未经授权的人员获取。
作为补救的第一步,我们已撤销了这些机密信息中的一些HF令牌。令牌被撤销的用户已经收到邮件通知。我们建议您刷新任何密钥或令牌,并考虑将您的HF令牌切换为细粒度访问令牌,这是新的默认设置。
我们正在与外部的网络安全鉴证专家合作,调查此问题并审查我们的安全政策和程序。
过去几天,我们对Spaces基础设施的安全性进行了其他重大改进,包括完全删除组织令牌(提高了可追踪性和审计能力)、为Spaces机密实施密钥管理服务(KMS)、增强和扩大系统识别泄漏令牌并主动使其失效的能力,以及更广泛地提升我们的总体安全性。我们还计划在近期内彻底弃用“经典”读写令牌,待细粒度访问令牌功能实现后即执行。我们将继续调查任何可能相关的事件。
最后,我们已将此事件报告给执法机构和数据保护部门。
我们对该事件可能造成的干扰深表遗憾,并理解其带来的不便。我们承诺将利用这一机会加强整个基础设施的安全性。如有任何问题,请联系我们:[email protected]。
原文
Earlier this week our team detected unauthorized access to our Spaces platform, specifically related to Spaces secrets. As a consequence, we have suspicions that a subset of Spaces’ secrets could have been accessed without authorization.
As a first step of remediation, we have revoked a number of HF tokens present in those secrets. Users whose tokens have been revoked already received an email notice. We recommend you refresh any key or token and consider switching your HF tokens to fine-grained access tokens which are the new default.
We are working with outside cyber security forensic specialists, to investigate the issue as well as review our security policies and procedures.
Over the past few days, we have made other significant improvements to the security of the Spaces infrastructure, including completely removing org tokens (resulting in increased traceability and audit capabilities), implementing key management service (KMS) for Spaces secrets, robustifying and expanding our system’s ability to identify leaked tokens and proactively invalidate them, and more generally improving our security across the board. We also plan on completely deprecating “classic” read and write tokens in the near future, as soon as fine-grained access tokens reach feature parity. We will continue to investigate any possible related incident.
Finally, we have also reported this incident to law enforcement agencies and Data protection authorities.
We deeply regret the disruption this incident may have caused and understand the inconvenience it may have posed to you. We pledge to use this as an opportunity to strengthen the security of our entire infrastructure. For any question, please contact us at [email protected].
