A few months ago, I received an email about my huggingface token being exposed. They've sent the same email to me a couple times now and I got a bit annoyed as I shared the token on purpose as read-only to my repositories which were all public anyways. I've responded every time with no response.
I was originally gonna post a Tell HN venting my annoyance but after reading into it, seems like not all victims were similar in intent (Some actually pushed tokens with write access to their account).
On a similar note, I did the same thing but for Google App Passwords which allow SMTP and IMAP access without 2FA a year ago (didn't write a blog about it) and saw some pretty disturbing things (e.g. cheaters). It's a pretty common issue that I'm surprised hasn't been fixed.
1 comment
[ 5.1 ms ] story [ 15.1 ms ] threadI was originally gonna post a Tell HN venting my annoyance but after reading into it, seems like not all victims were similar in intent (Some actually pushed tokens with write access to their account).
On a similar note, I did the same thing but for Google App Passwords which allow SMTP and IMAP access without 2FA a year ago (didn't write a blog about it) and saw some pretty disturbing things (e.g. cheaters). It's a pretty common issue that I'm surprised hasn't been fixed.