Docker Hub had a security breach during which OAuth credentials "may" have been exposed, presumably for all Docker accounts. Their email mentions that they identified the issue on 2024.09.24, but they fail to mention how long it may have been going on prior to that. They invalidated the OAuth credentials, but the email that informs the users about this was sent on 2024.09.26, which provides a large enough window for the attacker to have cloned plenty of private repositories.
I have a Docker Hub account which was connected to my Bitbucket account which also contains private code. I failed to revoke the OAuth credentials years ago when I stopped using the integration and I completely forgot about it - my bad there.
I would like to find out if the credentials have been used to clone the source code. It's not possible to view such accesses in the audit log, even though an issue about this has been created ever since 2013 (BB-9452).
Unfortunately, I have a free account, so I can't contact support directly. If anyone else that can contact support asks them about this issue, I would also like to know if any private code was cloned by using the exposed OAuth credentials.
I guess qualified support personnel could interrogate the logs database and look for Docker Hub OAuth credentials (presumably for multiple accounts) being used from IP addresses that do not belong to the IP range(s) used by Docker Hub.
For reference, here's the email received from Docker Hub:
"Hello,