Docker Security Breach Affects DevOps Pipelines

It probably wasn't a good weekend for the Docker security staff. The open source container company announced late last week that a database in its Docker Hub repository for container images had been hacked, exposing the data of 190,000 users. While the numbers aren't big as far as breaches are concerned, this one has some serious implications for the container supply chain.

Whether large or small, however, the timing for Docker couldn't be worse. On Tuesday the doors to the Moscone Center in San Francisco swing open for DockerCon 2019, the company's annual self-love fest. Obviously, a Docker security issue won't be good for generating leads.

As far as users go, a Twitter user with the handle "Tabletop Scenarios" put it most succinctly: "A company responsible for a critical part of your build pipeline has informed you of a breach before the weekend."

The announcement, issued on Thursday via an email from Kent Lamb, Docker's director of support, to affected users, downplayed the breach: Lamb said that not only did the breach only affect a small number of its users (less than 5% of the site's total users, he said), but that the information was exposed was "non-financial" in nature.

Trouble is, black hats don't have to reach into a bank account to do serious damage. In this case, nearly all Docker Hub users are people who work for large corporations that use the repository to build or rebuild container images, often pulling code from outside developer resources such as GitHub and Bitbucket, using tokens that were included in the information stored in the compromised database.

This automatically means headaches for DevOps and admins, as a breach like this means making multiple checks along the DevOps pipeline to discover any potential tampering. It also means that devs who don't take time out to investigate now might find surprises down the road.

So far, other than Lamb's email (which has been posted on Hacker News), Docker has made no public comments about the breach.

"Data includes usernames and hashed passwords ... as well as Github and Bitbucket tokens for Docker autobuilds," Lamb wrote. He went on to tell users with autobuilds that require connections with other repositories that "we have revoked GitHub tokens and access keys, and ask that you reconnect to your repositories and check security logs to see if any unexpected actions have taken place."

Lamb also offered other advice to affected users, starting with the plain vanilla warning for password changes on Docker Hub accounts as well as anywhere else where the same passwords are being used. Additionally, he suggested users "view security actions on your GitHub or BitBucket accounts to see if any unexpected access has occurred." He noted that users might need to relink to their GitHub and Bitbucket accounts as well.

It's doubtful that Docker will have much, if anything, to say about the breach at this week's DockerCon since security issues don't tend to attract paying customers. If mention is made, however, ITPro Today will be on the scene and you can read about it here.