1 comment

[ 5.1 ms ] story [ 15.1 ms ] thread
A few months ago, I received an email about my huggingface token being exposed. They've sent the same email to me a couple times now and I got a bit annoyed as I shared the token on purpose as read-only to my repositories which were all public anyways. I've responded every time with no response.

I was originally gonna post a Tell HN venting my annoyance but after reading into it, seems like not all victims were similar in intent (Some actually pushed tokens with write access to their account).

On a similar note, I did the same thing but for Google App Passwords which allow SMTP and IMAP access without 2FA a year ago (didn't write a blog about it) and saw some pretty disturbing things (e.g. cheaters). It's a pretty common issue that I'm surprised hasn't been fixed.