Docker, a development platform that allows companies to "build, manage and secure all their applications" and "deploy them anywhere," announced last week that it discovered a database hack that exposed the information of 190,000 users. The hackers collected usernames, hashed passwords and in some cases GitHub and Bitbucket access tokens used to access repositories on the popular Git platforms many developers use for version control.
Those whose usernames and hashed passwords were hacked got off relatively easy. Usually, it's not particularly hard to guess at someone's username--especially if it's simply their real name--and if Docker properly hashed the passwords they should be difficult to access. (As opposed to some other companies, which leave passwords in plain text readable by literally everyone with a computer.) That's also a relatively small number of users compared to other hacks.
The people with a real problem are the ones whose GitHub and Bitbucket access tokens were compromised. Those tokens are used to automatically build images of code stored in Git repositories. Bleeping Computer reported that depending on the permissions granted by the token, whoever hacked Docker could use these access tokens to modify the corresponding code repositories. That could enable additional hacks of users of those services. However, Docker said it revoked the stolen access tokens, so those attacks shouldn't be possible.
The company is asking users to change their passwords--on its site as well as other sites using the same password--and told people whose access tokens were compromised to reconnect their accounts to GitHub or Bitbucket. It also said it's "enhancing our overall security processes and reviewing our policies" and that "additional monitoring tools are now in place."
The hack came at an inopportune time. The company announced on April 24 a partnership with Arm to make it easier for developers to deploy "applications for cloud, edge and IoT environments" to systems with processors based on the Arm architecture. It's also hosting DockerCon, a container industry conference, from April 29 to May 2. But it seems Docker doesn't want this to detract from those events, as its social media accounts, blog and the news section of its website have all glossed over the database hack.
Instead, Docker disclosed the attack on its Success Center and directly to users who might have been affected. That way, it can let people know what it believes happened while also keeping the focus on its more flattering announcements.