Hackers Breached a Programming Tool Used By Big Tech and Stole Private Keys and Tokens

Docker Hub lost keys and tokens for around 190,000 accounts, which could have downstream effects if hackers used them to access source code at big companies.
Image: Flickr

Docker, a company that makes software tools for programmers and developers, said on Friday that hackers had accessed one of its Docker Hub databases and could have stolen sensitive data from around 190,000 accounts.

Experts Motherboard spoke to said that, in a worst-case scenario, the hackers would have been able to access proprietary source code from some of those accounts. Specifically, Docker allows developers to run software packages known as “containers.” It is used by some of the largest tech companies in the world, though it is not yet publicly known what information was accessed and which companies’ accounts were affected.


Docker disclosed the breach in an email to customers and users of Docker Hub, its cloud-based service that’s used by several companies and thousands of developers all over the world. In the email, obtained by Motherboard, Docker said that the stolen data includes “usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.”

Docker is still investigating the hack. But stealing access keys and tokens could have potentially given hackers access to critical private code repositories, and the ability to inject malicious code into software autobuilt by Docker. A scenario that one security researcher described as potentially “catastrophically bad.”

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@motherboard.tv

Companies such as Atlassian, PayPal, and Splunk are Docker customers, according to the company’s official site. And many developers inside other companies such as Google and Facebook use Docker.

Docker did not immediately respond to a request for comment.

Jeremy Galloway, a security researcher at Atlassian, a company indirectly affected by the breach, said that it was “definitely really bad.”

On early Friday morning, Docker notified Atlassian of the breach with a message, prompting the company to rush Galloway and his colleagues to reset thousands of deployment keys.


“Although the breach only exposed 190,000 users, the tokens and keys exposed are routinely used for auto-building critical software for companies and for accessing their private code repositories,” Galloway told Motherboard in an online chat. “It’s likely that attackers compromised Docker Hub simply as a means to an end to gain access to hundreds or thousands of other sensitive targets.”

Kenn White, a security researcher, explained the potential impact of the breach with an analogy.

“Think of it like this: developer gets mugged, and gets his keychain and wallet stolen. If the only keys were to his house and cars, that’s not great but it’s not a problem for the company,” White told Motherboard in an online chat. “In this case, potentially 190,000 keychains were pilfered, but with keys to company’s front doors too. Now it’s everybody’s problem.”

Another risk is that the hackers could bypass two-factor authentication on the code repository GitHub using the stolen keys and access tokens, according to White.

Docker is asking impacted users and customers to reset their passwords and it has revoked their GitHub access keys and tokens.

Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.