View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cloud
April 29, 2019

Docker Hacked: 190,000 Accounts Breached

Intruders may have used breach to access sensitive GitHub repositories

By CBR Staff Writer

Docker, the company behind an open platform for building and running distributed applications, said on Friday that hackers had breached one of its databases, potentially giving them access to sensitive source code on the external repositories of up to 190,000 different customers.

Data stolen from the San Francisco-based container specialist included usernames and hashed passwords for around five percent of Docker’s customers, as well as GitHub and Bitbucket tokens for Docker autobuilds. (i.e. passwords that bridge Docker and external codebase repositories).

Docker is used by many of the world’s largest financial and technology companies, including Paypal and Visa, as well as blue chips like pharmaceutical giant GlaxoSmithKline. It is unclear which accounts were affected: Microsoft was among those making clear that its official files hosted in Docker Hub were not compromised.

See also: With Windows Server Support to End, Docker Launches Migration Tool

Docker hackedThe company rapidly scrambled to plug the breach, invalidating the passwords of those affected and deleting the subset of users’ GitHub tokens (used in place of a password when performing Git operations over HTTPS with Git on the command line or the API).

Docker Hacked: What Happened?

Docker said: “On Thursday, April 25th, 2019, we discovered unauthorized access to a single Docker Hub database storing a subset of non-financial user data. Upon discovery, we acted quickly to intervene and secure the site. Sensitive data from approximately 190,000 accounts may have been exposed.

“We are asking users to change their password on Docker Hub and any other accounts that shared this password. For users with autobuilds that may have been impacted, we have revoked GitHub tokens and access keys. This means your autobuilds will fail, and we ask that you reconnect to your repositories and check security logs to see if any unexpected actions have taken place.”

“We are enhancing our overall security processes and reviewing our policies. Additional monitoring tools are now in place” Docker said, without adding further details.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Company Q&A

Docker ran a Q&A for worried customers, saying no action was needed: it had invalidated passwords for the accounts affected (even if that may feel to users like the stable door being locked after the horse has bolted…)

“If you directly received an email from Docker about this incident, you may have been impacted. If you have received a password reset link, your password hash was potentially exposed”, the company noted.

Relinking Docker Hub (the company’s cloud-based service) to GitHub repositories is not a risk, the company said; it will just create a new read-only deploy key to your GitHub or Bitbucket source repositories.

Docker Hacked: Microsoft Responds

In a short blog post, Microsoft’s Steve Lasker, a programme manager at the company’s Azure Container Registry, said: “While initial information led people to believe the hashes of the accounts could lead to image:tags being updated with vulnerabilities, including official and microsoft/ org images, this was not the case.”

“Microsoft has confirmed that the official Microsoft images hosted in Docker Hub have not been compromised.”

Read this: Docker Teams up with UK’s Arm to Create “Common Software Pipeline” for Cloud and Edge

He added: “As a cloud and software company, Microsoft has been transitioning official Microsoft images from being served from Docker Hub, to being served directly by Microsoft ​as of May of 2018. To avoid breaking existing customers, image:tags previously available on Docker Hub continue to be made available.”

“However, newer Microsoft images and tags are available directly from the Microsoft Container Registry (MCR) at mcr.microsoft.com. Search and discoverability of the images are available through Docker Hub, however Docker pull, run and build statements should reference mcr.microsoft.com.”

He added: “Leveraging community and official images from Docker Hub and Microsoft are a critical part of today’s cloud native development. At the same time, it’s always important to create a buffer between these public images and your production workloads. These buffers account for availability, performance, reliability and the risk of vulnerabilities. Regardless of which cloud you use, or if you are working on-prem, importing production images to a private registry is a best practice that puts you in control of the authentication, availability, reliability and performance of image pulls.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU