Cyber Incident Victim: Docker Inc.
Date:
Apr 2019
Location:
United States of America
Summary
An unauthorized individual compromised a Docker Hub database, potentially exposing sensitive data of approximately 190,000 users. The breach involved access to some usernames and hashed passwords, along with GitHub and Bitbucket tokens used for automated image builds. These tokens could enable unauthorized access to private code repositories, raising supply-chain attack risks if malicious modifications occurred. The company revoked all exposed tokens and access keys upon discovery, advising affected users to change passwords and review repository security logs for suspicious activity. The incident prompted enhancements to the platform’s security processes and monitoring tools, with ongoing investigations to assess the full scope of impact.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 25, 2019, Docker detected unauthorized access to a single Docker Hub database containing non-financial user data. The company acted immediately to secure the system upon discovery. An investigation revealed the breach exposed sensitive information for approximately 190,000 users, representing less than 5% of Docker Hub's total user base. The compromised data included usernames and hashed passwords for a small subset of affected accounts, along with GitHub and Bitbucket access tokens used for Docker's autobuild functionality. These tokens enabled automated code integration between Docker Hub and external repositories, allowing attackers potential access to private source code repositories if misused. The exposure period was described as brief, though specific start and end times weren't disclosed. Docker confirmed no financial data was stored in the affected database. The incident created significant supply-chain attack risks, as compromised tokens could allow malicious code injections into Docker images widely used in applications and infrastructure.
Docker revoked all exposed GitHub tokens and access keys following the discovery. The company notified affected users via email on April 26, instructing them to change Docker Hub passwords and audit connected accounts. Users were directed to review GitHub and Bitbucket security logs for unauthorized activity over the preceding 24 hours and relink their source repositories to restore autobuild functionality. Docker acknowledged the breach might disrupt ongoing automated builds during remediation. The company implemented enhanced security measures including additional monitoring tools and initiated policy reviews. Docker Support Director Kent Lamb confirmed the investigation remained ongoing with promises of future updates. Impacted developers faced urgent tasks to verify repository integrity and reestablish build pipelines, particularly challenging given the Friday night disclosure timing. The exposure highlighted risks associated with integration tokens between development platforms.