Earlier this week, our team detected unauthorized access to the space platform, particularly related to space secrets. As a result, there is a suspicion that a subset of the secrets of the space could have been accessed without permission.
As a first step in repair, we cancelled many of the HF tokens that exist in these secrets. Users whose tokens have been revoked have already received an email notification. We recommend that you consider updating your key or token and switching your HF token to a new default, fine access token.
We work with external cybersecurity forensic specialists to investigate issues and review security policies and procedures.
Over the past few days we have made other significant improvements to the security of our space infrastructure. This involves implementing full removal of organizational tokens (enhanced traceability and auditing capabilities), implementation of space secret key management services (KMS), robustness and expansion of the system, robustness and expansion of the system, and using boards. They also plan to completely condemn “classic” read and write tokens in the near future. We will continue to investigate any possible related cases.
Finally, we reported the case to law enforcement and data protection authorities.
We deeply regret the confusion that this incident may have caused the inconvenience this incident has brought to you. We pledge to use this as an opportunity to enhance security across our infrastructure. If you have any questions, please contact security@huggingface.co.
