Data leak due to Docker Hub images

After a security investigation by Flare, it became known that 10,456 Docker Hub container images provide access to protected data. The data relates to LLM model keys, CI/CD databases, and production systems.

Details about the data leak

The leak affected large Fortune 500 companies and even a national bank.

Docker Hub is considered to be the most popular container registry, where ready-made images are uploaded and distributed. Most often, developers use Docker images to deploy software and optimise the entire development cycle. However, incorrect image creation can directly lead to the disclosure of secrets.

After thoroughly checking the container images, it became clear that the most common secrets were access tokens to AI models from Anthropic, OpenAI, Groq, and Gemini. In total, there were 4,000 keys, and almost 42 percent of the scanned images contained 5 confidential values.

Data leaks can lead to critical risks. During the audit, 100 companies were identified, most of which operate in the software and AI sectors. Additionally, more than 10 companies in the banking and financial sectors experienced confidential data leaks.

The most common mistake was the use of .ENV files, which are needed to store credentials, project tokens, and cloud access keys. Encoded API tokens for AI were also found in YAML, Python, config.json, and GitHub tokens.

Flare recommends avoiding storing secrets in container images and instead centralising management with a manager and dedicated storage. Companies should also use active scanning throughout the software development lifecycle while simultaneously revoking old sessions.