Docker Community Forums

Share and learn in the Docker community.

Docker Hub Security Breach details, signs/hints

security
(Mltsy) #1

Kent Lamb (Director of Support) announced this security breach of ~190k Docker Hub accounts on Friday: https://success.docker.com/article/docker-hub-user-notification

His post does not outline a good way to tell if your account was included or any signs to look for. Some people have received e-mails warning them about the security breach. I also got one of these emails. Were those e-mails sent to all users, all affected users, or just known affected users? Are there signs we can look for besides an e-mail from Docker Hub?

Specifically, I got a notification that an SSH key was added to one of my GitHub repositories yesterday:

The following SSH key was added to the Smarter-Sorting/api-services repository by [me]:

Docker Cloud Build
4f:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

If you believe this key was added in error, you can remove the key and disable
access at the following location: [...]

I did receive an e-mail from Docker Hub, so I assume these are related to the breach. Is this typical of what people are seeing in this security breach? I didn’t add this key, and my Github Security History looks like this:

I’m posting this mainly to ask:

A) Who received the e-mail?
B) Is “Docker Cloud Build” still what it’s called, or is that a spoofed app name?
C) Are these typical signs of the security breach?
D) For compromised accounts, what did they have access to? I assume they would have had access to the contents of our images/repositories? My Github account doesn’t seem to have been unlinked from Docker Hub, but should I be removing and re-linking it anyway?

I’m hoping this will benefit others looking into it for themselves. I’m fairly certain they are signs of a breach, but I can also come up with potential explanations for them that don’t involve a security breach (maybe one of my teammates did setup Docker Cloud Build on that repo and it showed my Github username because I setup the integration originally, or because I own the org, or something. And all the failed verifications could be from past cloud build integrations we failed to delete or something - seems very unlikely though, considering the timing and frequency), so I would like to confirm with other affected users that this is similar to what they have seen. I would also like to hear from Docker Support about what they are seeing, and answers to the questions above.

#2

I wrote a blog post to review the Docker hub and Github account activities. Please share with your network for reviewing their accounts and their organisation’s accounts as well.