Docker Hub had a security breach during which OAuth credentials "may" have been exposed, presumably for all Docker accounts. Their email mentions that they identified the issue on 2024.09.24, but they fail to mention how long it may have been going on prior to that. They invalidated the OAuth credentials, but the email that informs the users about this was sent on 2024.09.26, which provides a large enough window for the attacker to have cloned plenty of private repositories.
I have a Docker Hub account which was connected to my Bitbucket account which also contains private code. I failed to revoke the OAuth credentials years ago when I stopped using the integration and I completely forgot about it - my bad there.
I would like to find out if the credentials have been used to clone the source code. It's not possible to view such accesses in the audit log, even though an issue about this has been created ever since 2013 (BB-9452).
Unfortunately, I have a free account, so I can't contact support directly. If anyone else that can contact support asks them about this issue, I would also like to know if any private code was cloned by using the exposed OAuth credentials.
I guess qualified support personnel could interrogate the logs database and look for Docker Hub OAuth credentials (presumably for multiple accounts) being used from IP addresses that do not belong to the IP range(s) used by Docker Hub.
For reference, here's the email received from Docker Hub:
"Hello,
On September 24, 2024 we identified suspicious activity on our network. Upon identifying this potential security issue, we initiated an investigation.
We have discovered that OAuth credentials used for integration between Docker Hub Autobuilds and Bitbucket may have been exposed. While at this time there is no evidence that these credentials were accessed, your account is or was connected to Bitbucket and may potentially be affected.
To mitigate any potential risk, we have invalidated the OAuth credentials that allow access to Bitbucket repositories for Autobuilds. As a result, any newly triggered builds linked to Bitbucket will be stuck in a pending state without your intervention.
Next Steps:
- If you are actively using Autobuilds with Bitbucket, you will need to reconnect your account. Please follow the steps outlined here to set up a new Bitbucket connection through Docker Hub.
- We recommend that all users review their source repositories, especially those authorized for Autobuilds.
We are continuing to investigate this incident, and if we identify any additional impact or broader scope, we will notify you promptly.
Should you encounter any issues or require further assistance, please don’t hesitate to reach out to our
support team.
Thank you for your understanding and cooperation as we work diligently to resolve this matter.
Thank you,
The
Docker Team"
