Artificial intelligence (AI) company Hugging Face said on Friday that it detected unauthorized access to its space platform earlier this week.
“We suspect that some of our space secrets may have been accessed without authorization,” the company said in its advisory.
Spaces provides a way for users to create, host, and share AI and Machine Learning (ML) applications, and also acts as a discovery service to find AI apps created by others on the platform.
In response to the security event, Hugging Space said it has taken steps to invalidate some HF tokens present in these secrets and has notified users whose tokens have been invalidated via email.
“We encourage you to update your keys and tokens and consider switching from HF tokens to fine-grained access tokens, which are the new default,” it added.
Hugging Face, however, did not disclose how many users were affected by the incident. The incident is currently under further investigation. The company has also alerted law enforcement and data protection authorities about the breach.
The move comes as explosive growth in the AI sector has led to AI-as-a-Service (AIaaS) providers like Hugging Face being targeted by attackers and feared to be exploited for malicious purposes.
In early April, cloud security firm Wiz detailed a security issue in Hugging Face that could allow adversaries to gain cross-tenant access and poison AI/ML models by hijacking continuous integration and continuous deployment (CI/CD) pipelines.
Previous research by HiddenLayer also uncovered a flaw in its Hugging Face Safetensors conversion service that could allow hackers to hijack user-submitted AI models to launch supply chain attacks.
“If malicious actors were to compromise the Hugging Face platform, they could gain access to private AI models, datasets and critical applications, which could lead to widespread damage and potential supply chain risks,” Wiz researchers noted in April.
