This incident highlights the growing risks faced by AI-as-a-service (AIaaS) providers like Hugging Face as the AI sector rapidly expands
Artificial Intelligence (AI) company Hugging Face revealed on Friday that it detected unauthorised contact access to its Spaces platform earlier this week.
“We have suspicions that a subset of Spaces’ secrets could have been accessed without authorization,” the company stated in an advisory.
Spaces is a platform that allows users to create, host, and share AI and machine learning (ML) applications. It also serves as a discovery tool for finding AI apps made by other users. In response to the security breach, Hugging Face announced it is revoking several HF tokens that were potentially accessed and is notifying affected users via email.
“We recommend you refresh any key or token and consider switching your HF tokens to fine-grained access tokens which are the new default,” the advisory added.
Hugging Face has not disclosed the number of users affected by the incident, which remains under investigation. The company has informed law enforcement agencies and data protection authorities about the breach.
This incident highlights the growing risks faced by AI-as-a-service (AIaaS) providers like Hugging Face as the AI sector rapidly expands. Attackers could exploit these platforms for malicious purposes.
In early April, cloud security firm Wiz identified security issues in Hugging Face that could allow adversaries to gain cross-tenant access and manipulate AI/ML models by taking over continuous integration and continuous deployment (CI/CD) pipelines. Additionally, research by HiddenLayer found flaws in the Hugging Face Safetensors conversion service, which could let attackers hijack AI models submitted by users and stage supply chain attacks.
“If a malicious actor were to compromise Hugging Face’s platform, they could potentially gain access to private AI models, datasets, and critical applications, leading to widespread damage and potential supply chain risk,” Wiz researchers noted in April.
