Hugging Face says it detected ‘unauthorized access’ to its AI model hosting platform
Late Friday afternoon, a time window companies usually reserve for unflattering disclosures, AI startup Hugging Face said that its security team earlier this week detected “unauthorized access” to Spaces, Hugging Face’s platform for creating, sharing and hosting AI models and resources.
In a blog post, Hugging Face said that the intrusion related to Spaces secrets, or the private pieces of information that act as keys to unlock protected resources like accounts, tools and dev environments, and that it has “suspicions” some secrets could’ve been accessed by a third party without authorization.
As a precaution, Hugging Face has revoked a number of tokens in those secrets. (Tokens are used to verify identities.) Hugging Face says that users whose tokens have been revoked have already received an email notice and is recommending that all users “refresh any key or token” and consider switching to fine-grained access tokens, which Hugging Face claims are more secure.
It wasn’t immediately clear how many users or apps were impacted by the potential breach.
“We are working with outside cyber security forensic specialists, to investigate the issue as well as review our security policies and procedures. We have also reported this incident to law enforcement agencies and Data [sic] protection authorities,” Hugging Face wrote in the post. “We deeply regret the disruption this incident may have caused and understand the inconvenience it may have posed to you. We pledge to use this as an opportunity to strengthen the security of our entire infrastructure.”
In an emailed statement, a Hugging Face spokesperson told TechCrunch:
“We’ve been seeing the number of cyberattacks increase significantly in the past few months, probably because our usage has been growing significantly and AI is becoming more mainstream. It’s technically difficult to know how many spaces secrets have been compromised.”
The possible hack of Spaces comes as Hugging Face, which is among the largest platforms for collaborative AI and data science projects with over one million models, data sets and AI-powered apps, faces increasing scrutiny over its security practices.
In April, researchers at cloud security firm Wiz found a vulnerability — since fixed — that would allow attackers to execute arbitrary code during a Hugging Face-hosted app’s build time that’d let them examine network connections from their machines. Earlier in the year, security firm JFrog uncovered evidence that code uploaded to Hugging Face covertly installed backdoors and other types of malware on end-user machines. And security startup HiddenLayer identified ways Hugging Face’s ostensibly safer serialization format, Safetensors, could be abused to create sabotaged AI models.
Hugging Face recently said that it would partner with Wiz to use the company’s vulnerability scanning and cloud environment configuration tools “with the goal of improving security across our platform and the AI/ML ecosystem at large.”
Every weekday and Sunday, you can get the best of TechCrunch’s coverage.
Startups are the core of TechCrunch, so get our best coverage delivered weekly.
The latest Fintech news and analysis, delivered every Tuesday.
TechCrunch Mobility is your destination for transportation news and insight.
By submitting your email, you agree to our Terms and Privacy Notice.
Generative AI improvements are increasingly being made through data curation and collection — not architectural — improvements. Big Tech has an advantage.
Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…
Jasper Health, a cancer care platform startup, laid off a substantial part of its workforce, TechCrunch has learned.
Featured Article
Live Nation says its Ticketmaster subsidiary was hacked. A hacker claims to be selling 560 million customer records.
Featured Article
An autonomous pod. A solid-state battery-powered sports car. An electric pickup truck. A convertible grand tourer EV with up to 600 miles of range. A “fully connected mobility device” for young urban innovators to be built by Foxconn and priced under $30,000. The next Popemobile. Over the past eight years, famed vehicle designer Henrik Fisker…
Late Friday afternoon, a time window companies usually reserve for unflattering disclosures, AI startup Hugging Face said that its security team earlier this week detected “unauthorized access” to Spaces, Hugging…
Featured Article
Using stalkerware is creepy, unethical, potentially illegal, and puts your data and that of your loved ones in danger.
The design brief was simple: each grind and dry cycle had to be completed before breakfast. Here’s how Mill made it happen.
Google is embarrassed about its AI Overviews, too. After a deluge of dunks and memes over the past week, which cracked on the poor quality and outright misinformation that arose…
Welcome to Startups Weekly — Haje‘s weekly recap of everything you can’t miss from the world of startups. Sign up here to get it in your inbox every Friday. In…
The product, which ZeroMark calls a “fire control system,” has two components: a small computer that has sensors, like lidar and electro-optical, and a motorized buttstock.
The RAW Dating App aims to shake up the dating scheme by shedding the fake, TikTok-ified, heavily filtered photos and replacing them with a more genuine, unvarnished experience. The app…
Yes, we’re calling it “ThreadsDeck” now. At least that’s the tag many are using to describe the new user interface for Instagram’s X competitor, Threads, which resembles the column-based format…
Japanese crypto exchange DMM Bitcoin confirmed on Friday that it had been the victim of a hack resulting in the theft of 4,502.9 bitcoin, or about $305 million. According to…
This is not a drill! Today marks the final day to secure your early-bird tickets for TechCrunch Disrupt 2024 at a significantly reduced rate. At midnight tonight, May 31, ticket…
Instagram is testing a way for creators to experiment with reels without committing to having them displayed on their profiles, giving the social network a possible edge over TikTok and…
U.S. federal regulators have requested more information from Zoox, Amazon’s self-driving unit, as part of an investigation into rear-end crash risks posed by unexpected braking. The National Highway Traffic Safety…
You thought the hottest rap battle of the summer was between Kendrick Lamar and Drake. You were wrong. It’s between Canva and an enterprise CIO. At its Canva Create event…
Voice cloning startup ElevenLabs introduced a new tool for users to generate sound effects through prompts today after announcing the project back in February.
We caught up with Antler founder and CEO Magnus Grimeland about the startup scene in Asia, the current tech startup trends in the region and investment approaches during the rise…
Temu is to face Europe’s strictest rules after being designated as a “very large online platform” under the Digital Services Act (DSA).
Meta has been banned from launching features on Facebook and Instagram that would have collected data on voters in Spain using the social networks ahead of next month’s European Elections.…
Stripe, the world’s most valuable fintech startup, said on Friday that it will temporarily move to an invite-only model for new account sign-ups in India, calling the move “a tough…
The 2024 election is likely to be the first in which faked audio and video of candidates is a serious factor. As campaigns warm up, voters should be aware: voice…
When Alex Ewing was a kid growing up in Purcell, Oklahoma, he knew how close he was to home based on which billboards he could see out the car window.…
SpaceX’s massive Starship rocket could take to the skies for the fourth time on June 5, with the primary objective of evaluating the second stage’s reusable heat shield as the…
Eric Lefkofsky knows the public listing rodeo well and is about to enter it for a fourth time. The serial entrepreneur, whose net worth is estimated at nearly $4 billion,…
TechCrunch Disrupt showcases cutting-edge technology and innovation, and this year’s edition will not disappoint. Among thousands of insightful breakout session submissions for this year’s Audience Choice program, five breakout sessions…
Check Point is the latest security vendor to fix a vulnerability in its technology, which it sells to companies to protect their networks.
Though Spotify never shared official numbers, it’s likely that Car Thing underperformed or was just not worth continued investment in today’s tighter economic market.
Powered by WordPress VIP
source
Sponsor:News technical sponsor
Sponsor:News AI sponsor
Sponsor: AI sponsor
Sponsor: AI sponsor
Leave a Comment