Usernames, hashed passwords, GitHub and access tokens exposed in Docker Hub hack.
The official Docker container images repository, Docker Hub, announced a safety infringement at the end of Friday night.
The breach came to light after the company began emailing clients about a security incident on April 25. “On Thursday 25 April 2019, we found unauthorized access to a single Hub database which stores a subset of non-financial user data,” says Docker Support Director Kent Lamb.
Docker says the hacker only had short access to this database, but data were exposed for approximately 190,000 users. The company said this number is only 5% of the entire user base of Docker Hub.
While it is unclear whether the hacker downloaded any user data from this Docker Hub server, he might have access to Docker Hub user names, passwords hacked, and tokens for Github and Bitbucket used to build Docker container images automatically.
Docker now notifies users and instructs users to reset the password.
“We have removed GitHub tokens and access keys for users with autobuilds that may have been affected, and ask that you reconnect to your repositories and verify safety logs, if unexpected actions have taken place,” says Lamb at the email sent to customers.
The company also calls on users to check login logs for GitHub and Bitbucket for unauthorized access from unauthorized IP addresses. Although only 190,000 appear to be a small breach, it is not.
A large majority of users of the Docker Hub are employees in large companies who can use their accounts to auto-create containers that they then use in live production environments.
A user who does not change his password for his account and can have their accounts autobuilt to include malware.
Docker said the incident is still being investigated and will share details if available. The safety incident was not revealed on the website of the company, but only via email. A copy of the complete email can be found here or in the picture below.
Been hearing some chatter about this today, but nothing official until now. Probably a wise move to regen your keys & passwords on DockerHub, especially publishers. https://t.co/ZVuRRbWaw7
— Kenn White (@kennwhite) 27 April 2019
