.webp)
Artificial Intelligence (AI) firm Hugging Face on Friday announced that it discovered illegal access to its Spaces platform earlier this week.
"We have suspicions that a subset of Spaces' secrets could have been accessed without authorization," it wrote in an alert.
Spaces provides a means for users to design, host, and distribute AI and machine learning (ML) applications. It also works as a discovery engine to check for AI applications produced by other users on the network.
In reaction to the security incident, Hugging Space stated it is taking the step of canceling a number of HF tokens featured in those secrets and that it's informing users who had their tokens revoked via email.
"We recommend you refresh any key or token and consider switching your HF tokens to fine-grained access tokens which are the new default," it said.
Hugging Face, however, did not specify how many people are harmed by the event, which is now under additional investigation. It has also advised law enforcement agencies and data protection authorities about the intrusion.
The news comes as the fast expansion of the AI industry has put AI-as-a-service (AIaaS) companies like Hugging Face in attackers' sights, who might use them for malevolent reasons.
In early April, cloud security company Wiz revealed security concerns in Hugging Face that might allowed an attacker to acquire cross-tenant access and poison AI/ML models by taking over the continuous integration and continuous deployment (CI/CD) pipelines.
Previous research done by HiddenLayer also discovered problems in the Hugging Face Safetensors conversion service that made it feasible to hijack the AI models supplied by users and launch supply chain assaults.
"If a malicious actor were to compromise Hugging Face's platform, they could potentially gain access to private AI models, datasets, and critical applications, leading to widespread damage and potential supply chain risk," Wiz researchers wrote in April.
