Kent Lamb (Director of Support) announced this security breach of ~190k Docker Hub accounts on Friday: https://success.docker.com/article/docker-hub-user-notification
His post does not outline a good way to tell if your account was included or any signs to look for. Some people have received e-mails warning them about the security breach. I also got one of these emails. Were those e-mails sent to all users, all affected users, or just known affected users? Are there signs we can look for besides an e-mail from Docker Hub?
Specifically, I got a notification that an SSH key was added to one of my GitHub repositories yesterday:
The following SSH key was added to the Smarter-Sorting/api-services repository by [me]: Docker Cloud Build 4f:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx If you believe this key was added in error, you can remove the key and disable access at the following location: [...]
I did receive an e-mail from Docker Hub, so I assume these are related to the breach. Is this typical of what people are seeing in this security breach? I didn’t add this key, and my Github Security History looks like this:
I’m posting this mainly to ask:
A) Who received the e-mail?
B) Is “Docker Cloud Build” still what it’s called, or is that a spoofed app name?
C) Are these typical signs of the security breach?
D) For compromised accounts, what did they have access to? I assume they would have had access to the contents of our images/repositories? My Github account doesn’t seem to have been unlinked from Docker Hub, but should I be removing and re-linking it anyway?
I’m hoping this will benefit others looking into it for themselves. I’m fairly certain they are signs of a breach, but I can also come up with potential explanations for them that don’t involve a security breach (maybe one of my teammates did setup Docker Cloud Build on that repo and it showed my Github username because I setup the integration originally, or because I own the org, or something. And all the failed verifications could be from past cloud build integrations we failed to delete or something - seems very unlikely though, considering the timing and frequency), so I would like to confirm with other affected users that this is similar to what they have seen. I would also like to hear from Docker Support about what they are seeing, and answers to the questions above.