Docker Hub Users Must Change Passwords Now

Just a few days back we learned about a data breach that affected around 190 thousand of Docker Hub users. The number of exposed accounts may not appear to be that significant, but it seems the damage could affect both accounts’ owners and the companies they work for, which is why it is advisable to take immediate action. Some of you may already know what you ought to do to protect your privacy and accounts after a data breach. However, if you have never experienced what it is like, we advise reading this blog post. Further in it, we explain what happened when cybercriminals hacked into Docker Hub database and how to change your Docker Hub password to secure your account.

What happened exactly?

Docker Hub discovered an unauthorized access to one of the company’s databases that contained “a subset of nonfinancial user data.” The organization took immediate actions and started an investigation to find more details. It was revealed that cybercriminals were able to obtain sensitive information from around 190 thousand accounts, which appears to be shy of 5 percent of all Docker Hub users.

The stolen data seems to include usernames and hashed passwords. Also, the cybercriminals may have obtained some BitHub and Bitbucket tokens for Docker Hub autobuilds. Collecting tokens could allow them to gain access to the users' projects and even modify their code or build on Docker Hub automatically. Which is why the company removed all tokens that might have been exposed. As a result, some users may notice that their autobuilds now fail. To fix this, users are asked to reconnect to their repositories and check security logs to search for suspicious activities.

Of course, to ensure affected accounts’ safety, Docker Hub’s team asks users to change their Docker Hub password. To be more precise, the company’s representatives urge changing password only for users whose Docker Hub password hash might have been exposed. Apparently such users ought to be informed via email. Nevertheless, the company’s statement also says it is a good idea to change the Docker Hub password if it has not been replaced for a long time. We can only agree as requirements for strong passwords grow very fast and if your password is a few years old, it is likely it could be weak by today’s standards.

What’s more, even if the passwords were hashed, it does not mean that hackers cannot figure them out. Some hashing algorithms are old and are no longer considered to be secure enough. Unfortunately, we cannot say what kind of hash was used for Docker Hub passwords, which is why we believe that changing the account's password is a good idea whether you received an email urging you to do so or not. Also, it is recommendable to change passwords for all other accounts that might be using the same passcode. Hackers do not even need to know what other accounts you have. They could try your Docker Hub password and username for random email services, social media platforms, etc. Thus, it is best to get rid of compromised credentials as fast as possible.

How to change Docker Hub password?

To change Docker Hub password the user has to reset it. The process is rather simple, and if you do not know how to change/reset Docker Hub password, you should follow the instructions available below.

Reset Docker Hub password

1. Launch your browser and open this link.
2. Type the email address that you used while creating your Docker Hub account.
3. Click the Send button.
4. Check your email and look for a message from Docker Hub.
5. Click the provided link and follow the instructions it should load.

What is important to understand is that in order to protect your account you should think of a strong password. Meaning, it should contain both lower-case and upper-case letters, numbers, and symbols. Not to mention, the combination should be unique or, in other words, something you have never used before, as reusing old passwords is always a bad idea. Also, you should make sure your new Docker Hub password is long enough so that hackers would find it challenging and time-consuming to brute-force or guess it.

Naturally, coming up with a strong password as well as making sure you will be able to remember it could be a difficult task. Therefore, we recommend employing a password manager. For example, Cyclonis Password Manager has an integrated Password Generator that can create passwords from up to 32 characters. The best part is that you do not have to memorize the generated password, as you can keep it in an encrypted vault, and look it up at any time you need or simply allow Cyclonis log you in automatically. To learn more about this password manager, continue reading here.

All things considered, this data breach was rather small, and it was well-handled. Nonetheless, such incidents are never pleasant as they make us question whether we can protect our privacy on the Internet. While it might be impossible to avoid becoming a victim of a data breach, there are things you can do to minimize the damage once it occurs, and if you want to learn what to do, you should have a look at this blog post.