Security Breach Compromises 190K Docker Hub Usernames and Passwords

Docker revealed to customers last week that a Docker Hub database of container images had experienced a breach, exposing the usernames and password hashes of about 190,000 accounts.

Docker Hub, Docker's container image repository, is used by thousands of major companies and developers around the globe.

In an email to Docker Hub customers and users, Docker said it discovered the breach on April 25. On Saturday, Motherboard obtained a copy of the message, which said attackers accessed "usernames and hashed passwords for a small percentage of [Docker Hub] users, as well as GitHub and Bitbucket tokens for Docker autobuilds." The breach affected 190,000 users — nearly five percent of Docker Hub's userbase, according to Computing.co.uk.

Docker revoked all affected tokens and invalidated all potentially affected password hashes. "If you directly received an email from Docker about this incident, you may have been impacted," Docker told users. "If you have received a password reset link, your password hash was potentially exposed. We have invalidated it and sent you a password reset link as a precaution. If you are using autobuilds and your GitHub or Bitbucket repositories have been unlinked from Docker Hub, you will need to relink those repositories for autobuilds to work correctly."

"Although the breach only exposed 190,000 users, the tokens and keys exposed are routinely used for auto-building critical software for companies and for accessing their private code repositories," Jeremy Galloway, a security researcher at Atlassian, told Motherboard. "It's likely that attackers compromised Docker Hub simply as a means to an end to gain access to hundreds or thousands of other sensitive targets." (Full disclosure: Atlassian is currently a sponsor of the Agile Zone.)

"It's important to remember that the DevOps Toolchain is also the DevOps Supply Chain," said Tim Erlin, VP of product management and strategy at TripWire. "The integrated tools, and the infrastructure that supports them, present new opportunities for attackers as well as users. Information security teams should be incorporating these kinds of supply chain compromises in their regular threat-modeling."

Docker reported that no official images were compromised in the recent breach, stating, "We have additional security measures in place for our Official Images including GPG signatures on git commits as well as Notary signing to ensure the integrity of each image."

The company is still investigating the incident.