May 6, 2019

Docker Hub Hack Leaked Sensitive Information of 190,000 Users: Concerning Consequences Followed

Docker Hub Hack Leaked Sensitive Information of 190,000 Users: Concerning Consequences Followed

The official repository for container images, Docker Hub experienced a security breach on 25th April 2019. The officials from the site confirmed that sensitive data from around 190,000 accounts approximately was exposed.

In an email to the users, Kent Lamb, the Director of Docker support said, “On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data.” He further added, “Upon discovery, we acted quickly to intervene and secure the site.”

According to container specialist, unauthorized access was experienced for a “brief period” and impacted less than 5 percent of the user-base. However, the data suspected to be stolen includes usernames and hashed passwords, along with Bitbucket and GitHub tokens for Docker auto builds.  

In an action to keep the accounts safe, Docker revoked the GitHub access keys and tokens for affected accounts. The company warned users that ongoing builds from the Docker automated build service may have been affected and users “may need to unlink and then relink your GitHub and BitBucket source provider.”

In an interview to Threatpost, Torsten George, the cybersecurity evangelist at Centrify said, “When you dig deeper into the details of the breach, you’ll see that it’s not about the numbers, but the reach. The big issue about this breach is the fact that the database included tokens from other much-used developer resources, including GitHub and Bitbucket. This breach stresses the importance of application-to-application password management (AAPM) and temporary credentials rather than permanent ones.”

Consequences and What to Do

“As a result of this breach, it’s possible that images in your Docker Hub repository may have been tampered with or overwritten,” said the vice president of product at StackRox, Wei Lien Dang. “Attacks on the build pipeline can have serious downstream effects on what is currently running inside your infrastructure. Tainted images can be difficult to detect, and the containers launched from them may even run as expected, except with a malicious process in the background. If you use Docker Hub with Kubernetes environments, you’ll also need to roll your ImagePullSecrets,” he added further.

  • Even if the passwords were hashed, we suggest Docker Hub users change their passwords on the Docker Hub as well as all other accounts with similar password or authentication from Docker Hub.
  • In order to keep their BitBucket and GitHub accounts safe from unauthorized access, the user can also view and take security actions mentioned on these sites.

Dang also addressed the changes in the application behavior that might come after the breach. Dang said, “Unexpected changes in images will have an effect on application behavior, making runtime detection and application baselining critical.” He further added,  “Characterizing the behaviors of individual Kubernetes deployments will highlight deviations in network connectivity, file access, and process executions. These deviations are all indicators that malicious activity is taking place within a container. You need the ability to quickly inspect runtime activity within your containers to verify they are running only expected processes.”

Also, Docker Hub failed to provide any timeline of the breach, that means no one is aware of the actual date and time when the unauthorized access occurred. “As with most breaches, the perpetrators may have had access to compromised resources significantly longer than just last week,” Dang said. “To be safe, you should verify recently pushed images going back over the past several weeks. Doing this audit can be difficult, as not every registry will let you filter the data by image age,” he added further.

Docker: A History of Security Breaches

Apparently, this is not the first time Docker has been in the headlines for a security breach. In January, a group of researchers hacked into the test platform known as Play-with-Docker with concept proof of the hack. It allowed them to access and manipulate any test Docker containers operating on the host system. The team also successfully escaped the container and run code on the host from a remote location.

Also, last year, hackers earned $90,000 in crypto-jacking profits when 17 docker images were found malicious on Docker Hub.

There is a history of hack attacks associated with Docker Hub and site owners have failed to make a firewall that cannot be breached.