If this is related to security, I think users deserve to know what's up.<p>As someone working in security, I'm fairly distraught that I <i>still</i> don't know exactly what happened last week. The Docker post-mortem[1] states:<p><i>> On Thursday, April 25th, 2019, we discovered unauthorized access to a single Docker Hub database storing a subset of non-financial user data. Upon discovery, we acted quickly to intervene and secure the site.</i><p><i>> During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as GitHub and Bitbucket tokens for Docker autobuilds.</i><p><i>> There was a brief period of unauthorized access to a Docker Hub database. During this time some sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of users as well as GitHub and Bitbucket tokens for Docker autobuilds. All these tokens have been revoked.</i><p>To the best of my knowledge, the above excerpts are the entirety of information about the incident that Docker has officially released. This is not nearly the level of detail that any security-conscious customer cares about, and in my opinion, it's an egregious violation of trust to not give more information.<p>For those that may not be working in security day-in, day-out, here's what I mean:<p>If this incident was, at its core, a DockerHub error that exposed a database to the Internet without proper authentication in place -- and then someone stumbled upon it -- that's an embarrassing mistake, but these things happen. I'd feel comfortable that Docker understands the extent of the breach, and that we can continue to use these products with some degree of confidence.<p>If, however, the breach was -- and we're going to the other end of the spectrum here -- a state-backed APT that blew 0days to breach the DockerHub network, then the threat model is <i>significantly</i> different. Did Docker bring in incident response professionals? What were the attackers targeting? How confident can we be that they didn't pivot to somewhere else on the Docker infrastructure undetected?<p>I know that Docker is likely trying to save face, and that the former scenario is significantly more likely than the later -- but guessing about whether or not the breach was severe is a ridiculous situation to be in for major organizations that use the DockerHub service.<p>In case anyone was wondering, I wasn't personally or professionally impacted by the breach, but we performed full credential rotation anyway. If the breach was more severe than described (e.g., persistent access was established), then that probably wouldn't do much good... but it's better than just assuming that "only 5% of users could have been impacted," and doing nothing.<p>I'm very unhappy with Docker's communication of this breach/misconfiguration/incident/whatever it may have actually been. I really hope they release more information (perhaps in the form of a <i>real</i> post-mortem) so that DockerHub users can better understand the risks of using Docker products. In my opinion, it's incredibly irresponsible of Docker to keep this information to themselves.<p>1: <a href="https://success.docker.com/article/docker-hub-user-notification" rel="nofollow">https://success.docker.com/article/docker-hub-user-notificat...</a>