Microsoft says its official Microsoft images hosted in Docker Hub have not been compromised.
The company behind Docker, a computer program developed to manage operating-system-level virtualization has announced that it has suffered a data breach and as a result, one of Docker Hub databases have been accessed by unknown hackers.
The attack was detected on April 25th in which hackers managed to steal “sensitive” data of over 190,000 users including usernames, hashed passwords as well as GitHub and Bitbucket tokens for Docker autobuilds.
“For users with autobuilds that may have been impacted, we have revoked GitHub tokens and access keys. This means your autobuilds will fail, and we ask that you reconnect to your repositories and check security logs to see if any unexpected actions have taken place,” Docker said a security advisory.
Docker is urging users to change their passwords on Docker Hub and any other accounts that shared this password. Docker is also contacting all affected users meanwhile the incident is being investigated.
“We are enhancing our overall security processes and reviewing our policies. Additional monitoring tools are now in place,” the company said.
On the other hand, Microsoft has also responded to the breach in which the company’s Steve Lasker, program manager, Azure Container Registry said that “While initial information led people to believe the hashes of the accounts could lead to image:tags being updated with vulnerabilities, including official and Microsoft/org images, this was not the case.”
“Microsoft has confirmed that the official Microsoft images hosted in Docker Hub have not been compromised.”
“As a cloud and software company, Microsoft has been transitioning official Microsoft images from being served from Docker Hub, to being served directly by Microsoft as of May of 2018. To avoid breaking existing customers, image:tags previously available on Docker Hub continue to be made available,” Lasker added.
“However, newer Microsoft images and tags are available directly from the Microsoft Container Registry (MCR) at mcr.microsoft.com. Search and discoverability of the images are available through Docker Hub, however, Docker pull, run and build statements should reference mcr.microsoft.com.”
“Leveraging community and official images from Docker Hub and Microsoft are a critical part of today’s cloud-native development. At the same time, it’s always important to create a buffer between these public images and your production workloads.”
“These buffers account for availability, performance, reliability and the risk of vulnerabilities. Regardless of which cloud you use, or if you are working on-prem, importing production images to a private registry is a best practice that puts you in control of the authentication, availability, reliability, and performance of image pulls,” Lasker recommended.
Although, a breach involving 190,000 users does not appear big, ZDNet noted that “while only 190,000 seems a small breach, it is not. A vast majority of Docker Hub users are employees inside large companies, who may be using their accounts to auto-build containers that they then deploy in live production environments.”