Docker Hub released a security bulletin saying that its database was accessed by unauthorized users on Wednesday, and the security department quickly shut down after it was discovered. For those interested in the full contents of the email, a recipient posted the full text of this notification to Ycombinator’s Hacker News, which is shown below.
On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data. Upon discovery, we acted quickly to intervene and secure the site.
We want to update you on what we’ve learned from our ongoing investigation, including which Hub accounts are impacted, and what actions users should take.
Here is what we’ve learned:
During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.
Actions to Take:
– We are asking users to change their password on Docker Hub and any other accounts that shared this password.
– For users with autobuilds that may have been impacted, we have revoked GitHub tokens and access keys, and ask that you reconnect to your repositories and check security logs to see if any unexpected actions have taken place.
– You may view security actions on your GitHub or BitBucket accounts to see if any unexpected access has occurred over the past 24 hours -see https://help.github.com/en/articles/reviewing-your-security-log and https://bitbucket.org/blog/new-audit-logs-give-you-the-who-what-when-and-where
– This may affect your ongoing builds from our Automated build service. You may need to unlink and then relink your Github and Bitbucket source provider as described in https://docs.docker.com/docker-hub/builds/link-source/
We are enhancing our overall security processes and reviewing our policies. Additional monitoring tools are now in place.
Our investigation is still ongoing, and we will share more information as it becomes available.
Kent Lamb Director of Docker Support email@example.com
After this investigation, Docker Hub found that about 190,000 users’ sensitive information was stolen and contained encrypted passwords.
At the same time, if the user associated with the GitHub or Bitbucket repository, the corresponding token information will also be leaked, thus affecting the security of the repository. GitHub and Bitbucket tokens stored in Docker Hub allow attackers to modify the developer’s project code, so developers should pay attention to it. For example, if an attacker tampers with certain key items and implants malicious code, the number of users who may be infected when the supply chain attack may be triggered will be more.
Currently, Docker Hub has revoked all compromised tokens and access keys, but developers are still advised to evaluate their own code checking issues.