Docker Hub breach exposes 190K accounts

Docker Hub has been victim to a security breach exposing details of 190,000 users.

Announcing the breach in an email to customers over the weekend, the world’s largest container image library said it had discovered unauthorized access last Thursday (April 25).

The database breached reportedly contained a “subset of non-financial user data”, according to the statement from Docker Support’s Director, Kent Lamb, adding that the sensitive data would account for “less than 5% of Hub users”.

“Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.”

It isn’t yet clear how the breach happened and how long the attackers had access.

Launched in 2014, the Docker Hub is a repository for users of the open-source Docker container application platform to find free Docker application images. Container technology allows developers to build, package and deploy applications.

While the Docker Hub contains a wide variety of container images, it claims its official versions— developed by Docker and undergoing additional scrutiny and security measures— weren’t compromised.

According to Docker, these official container applications include notary signing, which uses the open-source The Update Framework (TUF), which adds multiple layer of verification to help maintain the security of application images and their updates.

Docker has said that “no action is required” for regular Docker Hub users apart from following a password reset link sent to anyone who potentially had their password exposed.

However, for DevOps teams which use GitHub and Bitbucket to automatically build code at periodic intervals, container images are often deployed automatically to Docker Hub as part of the process.

“Users who have autobuilds who have had their GitHub or Bitbucket repositories unlinked will need to relink those repositories,” said Docker.

Tim Erlin, VP, product management and strategy at Tripwire, said: “It’s important to remember that the DevOps Toolchain is also the DevOps Supply Chain.”

“Cloud and DevOps have brought impressive, new opportunities for automation, delivering unprecedented velocity, but technology shifts always involve new attack surface as well.

“The integrated tools, and the infrastructure that supports them, present new opportunities for attackers as well as users.

“Information security teams should be incorporating these kinds of supply chain compromises in their regular threat-modeling. The worst time to formulate a response plan is after an incident has been discovered,” Erlin said.