Attackers breached Docker Hub, grabbed keys and tokens

Docker, the company behing the popular virtualization tool bearing the same name, has announced late on Friday that it has suffered a security breach.

Docker Hub breach

There was no official public announcement. Instead, the company sent an alert to potentially affected customers and urged them to change their passwords check their security logs.

What happened?

“On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data,” the company shared.

“During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.”

The company has promised to keep users updated on the situation and has reassured them that they’ve revoked GitHub tokens and access keys for users with autobuilds that may have been impacted.

They also asked users to change their password on Docker Hub and any other accounts that shared the same password, and to review security logs of their Docker Hub, GitHub and BitBucket accounts to see if any unexpected access has occurred in the brief period between the breach and its discovery.

The danger of compromised tokens

It seems very likely that the attackers were after the tokens and access keys that would then allow them to access companies’ critical code repositories and inject malicious code in auto-built containers.

Security researcher Kenneth White has also pointed out the danger of this breach to companies that do not use Docker Hub but whose developers might have used Docker with GitHub integration:

It be seen whether Docker has reacted quickly enough to minimize or remove the risk of attackers misusing the data they briefly had access to.