On April 25th, Docker Hub was breached by an unidentified threat actor(s) [1]. Account information was exposed and potentially exfiltrated. Docker Hub is a repository for identifying and sharing software container images [2].  The breach affected 190,000 Docker accounts, exposing usernames, hashed passwords, and GitHub and Bitbucket tokens.  As a precaution, Docker is notifying affected users and has revoked all tokens and access keys [3]. Users of Docker are strongly recommended to update all passwords, reconnect Docker repositories and review security logs for changes or illicit access.

What you should do about it

  • Update Docker Hub passwords
  • Review Docker repositories for unexpected changes or access
  • Reconnect repositories affected by token and access key de-validation

Additional information

The threat actor(s) were able to access one Docker Hub database. Docker is still investigating the intrusion and has not publicly identified how initial access was gained. 

This breach requires immediate attention as malicious access to code repositories could result in the theft of source code or the injection of malicious code into the Docker container deployment process. Technically capable threat actors may use the information from this breach to identify additional target organizations and initiate attacks through backdoors or other malicious content hidden in the modified Docker container.  References:

[1] https://success.docker.com/article/docker-hub-user-notification

[2] https://docs.docker.com/docker-hub/

[3] https://news.ycombinator.com/item?id=19763413

See the latest security advisories

Articles and reports written by eSentire staff and our Threat Intelligence Research Group.

Ready to get started?
We're here to help.

Get Started
Reach out to schedule a meeting and learn more about our Managed Detection and Response, Risk Advisory, and Managed Prevention capabilities.