Docker breach of 190,000 users exposes lack of two-factor authentication

Containerisation platform Docker has asked 190,000 developer users to change their account passwords after hackers gained access to a database containing personal data.

According to an advisory on the company’s website, the incident happened on 25 April when for a “brief period” attackers accessed a single Docker Hub repository used to store the accounts.

Exposed data included usernames, an unknown number of hashed passwords and, inconveniently, API tokens used by developers with GitHub and Bitbucket (which, when embedded in scripts, perform the same function as passwords for Docker autobuilds).

When Docker discovered the breach it acted quickly, adding:

No Official Images have been compromised. We have additional security measures in place for our Official Images including GPG signatures on git commits as well as Notary signing to ensure the integrity of each image.

Data breaches are always bad news but the possible compromise of 190,000 accounts (about 5% of the service’s user base) on a development system used by businesses heaps additional worries on top of the usual workload.

What to do?

Docker said it has sent password reset links to all affected users, so if you’re on that list you should follow the company’s advice. In addition:

Users who have autobuilds who have had their GitHub or Bitbucket repositories unlinked will need to relink those repositories.

In a separate notification email, Docker said that anyone it thinks is in this category will have had their tokens and access keys revoked and will have to reconnect manually after checking security logs to identify whether “any unexpected actions have taken place.”

This can be done by following the log-checking advice on GitHub and on BitBucket. Because this relates to development software, affected users should treat these checks as their top priority.

Should all Docker users change their account password?

If we take the company’s explanation at face value, that doesn’t appear to be necessary although Docker does suggest that users consider changing their password if they haven’t done so in a while. In the meantime Docker is:

enhancing our overall security processes and reviewing our policies. Additional monitoring tools are now in place.

The comment about enhancing security might be a reference to multi-factor authentication (MFA or 2FA) which users have complained on social media and in forums that Docker doesn’t yet offer.

On the basis of a test account we set up, that does appear to be the case. It’s an unfortunate omission – authentication is precisely the sort of security that reduces the likelihood of account compromise in the sort of incident where usernames and hashed passwords have been breached.

Separately, it was revealed in March that a root access vulnerability (CVE-2019-5736,) in Docker was being exploited by cybercriminals to mine the Monero (XMR) cryptocurrency on hundreds of servers.