Heroku explained why it sent users a sudden password reset warning earlier this week and how it happened due to the theft of a GitHub OAuth token.
“Our investigation revealed that the same compromised token was used to access the database and extract hashed and salted passwords from user accounts,” the company said in an incident notice.
“For this reason, Salesforce is ensuring that all Heroku user passwords are reset and that potentially vulnerable accounts are reset. We have reset Heroku’s internal accounts and implemented additional detection tools. We continue to investigate the source of the token compromise.”
The company also said that the attacker first gained access on April 7, two days before the date of the attack made public by Heroku or GitHub.
“April 7, 2022, an attacker gained access to the Heroku database and uploaded OAuth tokens held by clients for integration with GitHub. Access to the environment was obtained by using a compromised token for the Heroku machine account,” he said.
“According to GitHub, the attacker started listing metadata in client repositories with OAuth tokens uploaded on April 8, 2022. On April 9, 2022, an attacker uploaded to GitHub a portion of Heroku’s private repositories containing a portion of Heroku’s source code.”
GitHub noticed activity on April 12, and a GitHub notification was posted on April 13. Three days later, Heroku withdrew all OAuth tokens for GitHub integration.
“We value transparency and understand that our customers are seeking to better understand the impact of this incident and our response to date,” the company said in a message at the top of the incident notification page, which has been ongoing since April 15.
Heroku has previously stated that it will not reconnect to GitHub until it is sure it is safe.
Source: “.com”