Artificial Intelligence (AI) company Hugging Face detected unauthorized access to its Spaces platform earlier this week, as disclosed on Friday.
“We suspect that a subset of Spaces’ secrets may have been accessed without authorization,” it stated in an advisory.
Spaces allows users to create, host, and share AI and machine learning (ML) applications, as well as discover AI apps developed by others on the platform.
In response to the security incident, Hugging Space is revoking a number of HF tokens contained in those secrets and notifying affected users via email.
“We recommend refreshing any key or token and consider switching to fine-grained access tokens as the new default,” it recommended.
The company did not disclose the number of impacted users, as the incident is still being investigated. It has also informed law enforcement and data protection authorities about the breach.
This incident highlights the risks faced by AI-as-a-service (AIaaS) providers like Hugging Face due to the rapid expansion of the AI sector, making them potential targets for malicious actors.
Earlier in April, cloud security firm Wiz revealed security vulnerabilities in Hugging Face that could enable attackers to access AI/ML models and manipulate CI/CD pipelines.
Prior research by HiddenLayer also uncovered flaws in Hugging Face’s Safetensors conversion service, posing risks of hijacking AI models and supply chain attacks.
Wiz researchers noted, “If a malicious actor were to compromise Hugging Face’s platform, they could potentially gain access to private AI models, datasets, and critical applications, leading to widespread damage and potential supply chain risk.”
