HUGGING Face experienced a data breach on July 16, 2026, caused by a malicious dataset that exploited vulnerabilities in their data-processing pipeline. An autonomous AI agent executed the breach, accessing limited internal datasets and service credentials without tampering with user-facing models. The company has confirmed the intrusion to law enforcement and is currently reviewing the impact on partner and customer data. Users are advised to rotate access tokens, check account activity, and report concerns.
Hugging Face has implemented security measures, including closing the exploited code paths and enhancing monitoring and controls.