Space secrets security update

📰 Hugging Face Blog

Hugging Face's Spaces platform experienced unauthorized access to secrets, prompting a security update and recommendations for users to refresh keys and tokens

intermediate Published 31 May 2024
Action Steps
  1. Refresh any key or token
  2. Consider switching to fine-grained access tokens
  3. Monitor for suspicious activity and report to security@huggingface.co if necessary
Who Needs to Know This

The development, security, and DevOps teams can benefit from understanding the security measures taken by Hugging Face to protect their Spaces platform and implement similar measures in their own organizations

Key Insight

💡 Fine-grained access tokens are the new default and provide increased security

Share This
🚨 Security update: Hugging Face's Spaces platform experienced unauthorized access to secrets. Refresh your keys and tokens! 💻

Key Takeaways

Hugging Face's Spaces platform experienced unauthorized access to secrets, prompting a security update and recommendations for users to refresh keys and tokens

Full Article

Published Time: 2024-05-31T00:00:00.400Z

# Space secrets security update

[![Image 1: Hugging Face's logo](https://huggingface.co/front/assets/huggingface_logo-noborder.svg)Hugging Face](https://huggingface.co/)

* [Models](https://huggingface.co/models)
* [Datasets](https://huggingface.co/datasets)
* [Spaces](https://huggingface.co/spaces)
* [Buckets new](https://huggingface.co/storage)
* [Docs](https://huggingface.co/docs)
* [Enterprise](https://huggingface.co/enterprise)
* [Pricing](https://huggingface.co/pricing)
*
*
* * *

* [Log In](https://huggingface.co/login)
* [Sign Up](https://huggingface.co/join)

[Back to Articles](https://huggingface.co/blog)

# [](https://huggingface.co/blog/space-secrets-disclosure#space-secrets-leak-disclosure) Space secrets leak disclosure

Published May 31, 2024

[Update on GitHub](https://github.com/huggingface/blog/blob/main/space-secrets-disclosure.md)

[- [x] Upvote 52](https://huggingface.co/login?next=%2Fblog%2Fspace-secrets-disclosure)
* [![Image 2](https://cdn-avatars.huggingface.co/v1/production/uploads/1594144055859-5ee3a7cd2a3eae3cbdad1305.jpeg)](https://huggingface.co/yjernite "yjernite")
* [![Image 3](https://cdn-avatars.huggingface.co/v1/production/uploads/1594651707950-noauth.jpeg)](https://huggingface.co/lewtun "lewtun")
* [![Image 4](https://cdn-avatars.huggingface.co/v1/production/uploads/1639773384591-5f353bb37e58354338621655.jpeg)](https://huggingface.co/nbroad "nbroad")
* [![Image 5](https://cdn-avatars.huggingface.co/v1/production/uploads/5fa19f4ba13e063b8b2b5e11/nGVHdTYX2udnt-K8mqY27.jpeg)](https://huggingface.co/abhishek "abhishek")
* [![Image 6](https://cdn-avatars.huggingface.co/v1/production/uploads/1613511937628-5fb15d1e84389b139cf3b508.jpeg)](https://huggingface.co/MoritzLaurer "MoritzLaurer")
* [![Image 7](https://cdn-avatars.huggingface.co/v1/production/uploads/6032802e1f993496bc14d9e3/w6hr-DEQot4VVkoyRIBiy.png)](https://huggingface.co/osanseviero "osanseviero")
* +46

[![Image 8: system's avatar](https://cdn-avatars.huggingface.co/v1/production/uploads/1646125250765-61af81e7a7205fb7cc9ec0cb.png)](https://huggingface.co/system)

[system system Follow](https://huggingface.co/system)

Earlier this week our team detected unauthorized access to our Spaces platform, specifically related to Spaces secrets. As a consequence, we have suspicions that a subset of Spaces’ secrets could have been accessed without authorization.

As a first step of remediation, we have revoked a number of HF tokens present in those secrets. Users whose tokens have been revoked already received an email notice. **We recommend you refresh any key or token and consider switching your HF tokens to fine-grained access tokens which are the new default.**

We are working with outside cyber security forensic specialists, to investigate the issue as well as review our security policies and procedures.

Over the past few days, we have made other significant improvements to the security of the Spaces infrastructure, including completely removing org tokens (resulting in increased traceability and audit capabilities), implementing key management service (KMS) for Spaces secrets, robustifying and expanding our system’s ability to identify leaked tokens and proactively invalidate them, and more generally improving our security across the board. We also plan on completely deprecating “classic” read and write tokens in the near future, as soon as fine-grained access tokens reach feature parity. We will continue to investigate any possible related incident.

Finally, we have also reported this incident to law enforcement agencies and Data protection authorities.

We deeply regret the disruption this incident may have caused and understand the inconvenience it may have posed to you. We pledge to use this as an opportunity to strengthen the security of our entire infrastructure. For any question, please contact us at [security@huggingface.co](mailto:security@huggingface
Read full article → ← Back to Reads

Related Videos

Pole Pruner How A Rope Lever Shears High Branches
Pole Pruner How A Rope Lever Shears High Branches
Innoforge Studio
AI Mind Talks #4: Scaling Enterprise AI — with HiBob Head of AI Core Unit Yoni Friedman
AI Mind Talks #4: Scaling Enterprise AI — with HiBob Head of AI Core Unit Yoni Friedman
HiBob, modern HR made for modern business
MCP Security : Defense/ Guardrails
MCP Security : Defense/ Guardrails
Modern Security - Secuity Engineering Academy
103 Edge AI  On Device Intelligence
103 Edge AI On Device Intelligence
Sinsavk AI for beginners
Designing Machine Learning Systems | Chapter 7: Model Deployment & Prediction Service
Designing Machine Learning Systems | Chapter 7: Model Deployment & Prediction Service
onepagecode
LFM2.5-8B-A1B — Fastest Local AI Agent on a Laptop? (6 Tests)
LFM2.5-8B-A1B — Fastest Local AI Agent on a Laptop? (6 Tests)
Prompt Engineer