Heroku confirms the customer database hack and forced password resets

GitHub OAuth token theft results in Heroku customer database hack

Stolen OAuth tokens are used to access the customer database with users' passwords

Stolen GitHub integration OAuth tokens from last month further led to the compromise of the internal customer database. It is confirmed by the Heroku officials now that this was true that stolen tokens led to a hack.^[1] Salesforce-owned subsidiary Heroku acknowledged that unauthorized access to an internal customer database was gained.

The company issued an updated notification^[2] and revealed that the compromised token was used to breach the database and possibly exfiltrate hashed and salted user account passwords:

Access to the environment was gained by leveraging a compromised token for a Heroku machine account.

The threat actor managed to access the token on April 7th and started to use the OAuth token^[3] to access customer data on April 8th and April 9th. The last day was successful when the attacker downloaded a subset of the private repositories with some of the Heroku source code. The company was notified by GitHub on April 12th, 2022. the company revoked the integration tokens on April 16th.

As a consequence of the incident, Salesforce encourages Heroku user password reset. The procedure should ensure that potentially affected credentials are refreshed and not used for additional scams or cyberattacks. Users received unexpected password reset emails.

The timeline of the OAuth access token usage

The issue with stolen OAuth user tokes was reported on April 12th by GitHub.^[4] The attack campaign started with an unidentified actor leveraging the stolen tokes issued to the third-party integrators. Those were Travis-CI and Heroku. These were used to download data from dozens of different organizations.

GitHub categorized the incident as highly targeted because the pattern shows that attackers only listed organizations in order to identify accounts and select targets for listing and downloading the private repositories. The analysis showed that the adversary had stolen app tokes for authentication of the GitHub API.

On April 7th threat actor obtained access to a Heroku database and downloaded stored customer OAuth access tokens for the GitHub integration.

On April 8 the attacker enumerated metadata about customer repositories using the particular tokens.

April 9th was when the attacker downloaded a subset of Heroku private repositories from GitHub.

Forced password reset

Heroku started to perform forced resets of passwords for a subset of the user accounts. The security incident was the reason, but people did not get a full explanation.^[5] These emails stated the resetting happens on MAy 4th, and users are advised to do that because of the security incident. This resetting also means that all previous API access tokes are invalid, and people are required to generate the new ones.

However, the original reports stated that threat actors could access and download data from GitHub repositories belonging to the ones who authorized the compromised Heroku apps with their accounts. GitHub's infrastructure or systems, and private repositories were not impacted by the incident.

This does not explain the full password reset for users. But the, access to the internal database of customer accounts does. Customers might panic due to the lack of disclosure, and some of them call this incident, and the password reset a train wreck. But this reset can prompt concerns about particular malicious activities and threat actor operations that have not been disclosed. Nevertheless, resetting passwords for your accounts can be a great way to avoid serious issues with security.