Docker Hub hack affected 5 percent of its users – usernames and hashed passwords exposed
On April 25, Docker Hub, which is an open source container used for Docker images, suffered a data breach when a malicious actor managed to briefly gain access to its internal database.
According to the advisory published by the company, the breach affected five percent of its users (190,000) and the affected data includes usernames and hashed passwords. Although the breached database did not contain any financial information, it included Github and Bitbucket tokens of some users, which are used for the entry authentication without using the password.
The incident came to light when the firm started notifying the affected users by sending them warning emails on April 26, one day after the unauthorized access of the database, as explained by Kent Lamb, Global Technical Support Director:
On Thursday, April 25th, 2019, we discovered unauthorized access to a single Docker Hub database storing a subset of non-financial user data. Upon discovery, we acted quickly to intervene and secure the site.
Initially, the company did not publicly announce the breach but rather started notifying its customers. Nevertheless, the official advisory was published a short time later.
Docker Hub is one of the most popular cloud-based library for images, which allows developers to create containers that can be accessed privately and publicly, as well as moved as required.
Docker Hub security breach might be much more serious than it seems
Docker says that it acted immediately by notifying the affected users and revoking the affected GitHub and Bitbucket tokens. Due to that, those who have autobuilds drawing will be prompted to re-link the repositories. Those whose hash of passwords were compromised were asked to reset their passwords as a precautionary measure.
Docker Hub claims that no official images that were placed onto the platform before, during or after the breach are at no point of compromise, as additional security measures are set in place to protect those:
No Official Images have been compromised. We have additional security measures in place for our Official Images including GPG signatures on git commits as well as Notary signing to ensure the integrity of each image.
Nevertheless, the breach sparks concerns among security researchers, as the compromise can lead to a far broader scope, even with relatively small numbers of affected users:
On the Docker breach: Even if your company doesn't rely on Docker Hub for production, if a developer in your org enabled auto builds and linked to GitHub via oauth for a personal project, when that oauth token is compromised, _all_ repos on GH they had access to are vulnerable.
Re-upping: what started as a Docker issue is now (also) a GitHub issue, *even if your org does not use Docker*. If any one of your developers used Docker with GitHub integration (even for a single, unrelated personal project) _your_ private repos were potentially exposed.
Precautionary measures after the data breach
While it is unknown if the malicious actor managed to steal any of the data stored in the compromised database during the breach, it is vital to act immediately.
Those impacted by the breach will receive an email with the direct link to change the passwords. Additionally, all the login details should be modified on all accounts where the compromised passwords were used, although it is a bad practice in general.
Users should always make sure they are using strong passwords and change them frequently, or use a password managing program. Additionally, two-factor authentication can stop many hacks from breaching personal accounts on multiple platforms.
Docker claimed that it is still investigating the breach, and the full extent of it will be disclosed as soon as more information is available. In the meantime, the company implemented additional monitoring tools for security measures and is also working on “enhancing overall security processes and reviewing policies.”