Docker Hub遭入侵，19万帐号被泄露

美国内地时刻周五晚上，有开拓者暗示收到来自 Docker 的官方邮件，邮件内容表现因为 Docker Hub 蒙受犯科入侵，已导致 19 万个帐号的敏感数据被泄漏，这些数据包罗小部门用户的用户名和哈希暗码，以及用于自动构建 Docker 镜像而授权给 Docker Hub 的 GitHub 和 Bitbucket token。

Docker Hub 是 Docker 容器镜像的官方存储库，提供应 Docker 开拓者用于上传/下载容器镜像。

Docker 方面暗示，发明裂痕后已当即采纳过问法子来掩护数据，并极力低落对用户造成的影响。

凭证 Docker 的官方说法，在黑客入侵 Docker Hub 后的短时刻内就发明白题目，不外仍有 19 万个帐号的数据已遭泄漏，约莫是总用户数的 5%。

Docker 发明题目后当即向用户奉告了这一动静，并关照用户重置暗码(包罗行使其他行使沟通用户名和暗码的平台)。

另外，对付行使了自动构建处事并也许受影响的用户，Docker 已取消他们的 GitHub token 和会见密钥，并提示他们从头毗连到存储库，然后搜查安详和登录日记以查察是否产生了任何非常操纵，譬喻是否存在通过未知的 IP 地点举办任何未经授权的会见。

固然受影响的用户只有 5%，看起来题目不黑白常严峻，但究竟并非云云。要知道绝大大都 Docker Hub 用户都是大公司的内部员工，他们的帐号也许正在行使自动构建容器处事，然后在现实出产情形中陈设这些容器。

假如他们没有实时重置帐号暗码，那么其帐号的自动构建处事会存在极大的安详风险 —— 被进攻者植入恶意软件。

Docker 暗示今朝仍在观测此变乱，观测清晰后会分享具体信息。不外这起安详变乱尚未在公司网站上披露，仅通过电子邮件关照用户。邮件内容如下：

• On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data. Upon discovery, we acted quickly to intervene and secure the site.
• We want to update you on what we've learned from our ongoing investigation, including which Hub accounts are impacted, and what actions users should take.
• Here is what we’ve learned:
• During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.
• Actions to Take:
• - We are asking users to change their password on Docker Hub and any other accounts that shared this password.
• - For users with autobuilds that may have been impacted, we have revoked GitHub tokens and access keys, and ask that you reconnect to your repositories and check security logs to see if any unexpected actions have taken place.
• - You may view security actions on your GitHub or BitBucket accounts to see if any unexpected access has occurred over the past 24 hours -see https://help.github.com/en/articles/reviewing-your-security-log and https://bitbucket.org/blog/new-audit-logs-give-you-the-who-what-when-and-where
• - This may affect your ongoing builds from our Automated build service. You may need to unlink and then relink your Github and Bitbucket source provider as described in https://docs.docker.com/docker-hub/builds/link-source/
• We are enhancing our overall security processes and reviewing our policies. Additional monitoring tools are now in place.
• Our investigation is still ongoing, and we will share more information as it becomes available.
• Thank you,
• Kent Lamb Director of Docker Support info@docker.com

【编辑保举】

1. 【保举】帮你掩护敏感数据的五款免费加密软件
2. 敏感数据明文传输激发的全新进攻
3. 确保Docker安详的10款顶尖开源器材
4. 蜜罐体系勾引用户毗连WiFi，捕捉敏感数据
5. 掩护Docker和Kubernetes的7个容器安详器材

（编辑：湖南网）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!