An unauthorized person gained access to a Docker Hub database that exposed sensitive information for approximately 190,000 accounts (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.
Note: GitHub and Bitbucket access tokens stored in Docker Hub allow developers to modify their project's code and have it automatically build, or autobuild, the image on Docker Hub. If a third-party gains access to these tokens, though, it would allow them to gain access to a private repositories code and possibly modify it depending on the permissions stored in the token.
Actions to Take
- Change your password on Docker Hub and any other accounts that shared this password.
- For users with autobuilds that may have been impacted, Docker security team have revoked GitHub tokens and access keys, and ask that you reconnect to your repositories and check security logs to see if any unexpected actions have taken place.
- You may view security actions on your GitHub or BitBucket accounts to see if any unexpected access has occurred over the past 24 hours
- This may affect your ongoing builds from our Automated build service. You may need to unlink and then relink your Github and Bitbucket source provider as described here.
.png){kind=small}
