Hugging Face AI Firm Identifies Unauthorized Entry to Its Spaces Platform

Hugging Face, an Artificial Intelligence (AI) company, announced on Friday the detection of unauthorized access to its Spaces platform earlier this week.

"We suspect that certain aspects of Spaces may have been accessed without proper authorization," the company stated in an advisory.

Spaces enables users to develop, host, and share AI and machine learning (ML) applications, while also serving as a discovery service for finding AI apps created by other users.

In response to the security incident, Hugging Face is revoking a number of HF tokens found in the compromised areas and notifying affected users via email.

"We recommend refreshing any keys or tokens and considering a switch to fine-grained access tokens, which are now the default," the advisory added.

Hugging Face did not disclose the exact number of impacted users, as the incident remains under investigation. The company has informed law enforcement and data protection authorities of the breach.

This incident highlights the vulnerability of AI-as-a-service (AIaaS) providers like Hugging Face amid the rapid growth of the AI sector, making them targets for attackers who may exploit them for malicious purposes.

In early April, Wiz, a cloud security firm, identified security flaws in Hugging Face that could allow adversaries to gain cross-tenant access and compromise AI/ML models through the CI/CD pipelines.

Previous research by HiddenLayer also uncovered vulnerabilities in Hugging Face's Safetensors conversion service, enabling the hijacking of AI models and potential supply chain attacks.

"If malicious actors compromise Hugging Face's platform, they could access private AI models, datasets, and critical applications, posing significant supply chain risks and causing widespread damage," Wiz researchers warned in April.