Cyber Incident Victim: Hugging Face

On May 1, 2024, Hugging Face disclosed an incident involving unauthorized access to its Spaces platform, specifically targeting Spaces secrets. The company detected the breach earlier that week, suspecting that a subset of these secrets—which included Hugging Face tokens—may have been compromised. In response, Hugging Face immediately revoked affected tokens and notified impacted users via email, advising them to refresh credentials and transition to fine-grained access tokens. The incident prompted collaboration with external cybersecurity forensic specialists to investigate the breach and review existing security protocols. While the exact scope of unauthorized access remained under investigation, the compromise centered on secrets stored within Spaces, a collaborative AI application hosting environment.

Hugging Face implemented multiple infrastructure security enhancements following the breach. These included eliminating organization tokens to improve traceability and auditing, integrating a key management service (KMS) for Spaces secrets, and strengthening systems to detect and invalidate leaked tokens proactively. The company announced plans to phase out classic read/write tokens once fine-grained alternatives achieved full functionality. Law enforcement and data protection authorities were notified of the incident, though no specific attacker identity or methodology was disclosed. Ongoing investigations focused on identifying related incidents while infrastructure-wide security improvements continued. The breach caused operational disruptions for users with revoked tokens, though Hugging Face did not quantify the number of affected accounts or specify data exfiltration beyond potential secret access.