Heroku Forces User Password Resets Following GitHub OAuth Token Theft

Salesforce-owned subsidiary Heroku on Thursday acknowledged that the theft of GitHub integration OAuth tokens further involved unauthorized access to an internal customer database.

The company, in an updated notification, revealed that a compromised token was abused to breach the database and “exfiltrate the hashed and salted passwords for customers’ user accounts.”

As a consequence, Salesforce said it’s resetting all Heroku user passwords and ensuring that potentially affected credentials are refreshed. It also emphasized that internal Heroku credentials were rotated and extra detections have been put in place.

The attack campaign, which GitHub discovered on April 12, related to an unidentified actor leveraging stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM.

The timeline of events as shared by the cloud platform is as follows –

• April 7, 2022 – Threat actor obtains access to a Heroku database and downloads stored customer OAuth access tokens used for GitHub integration.
• April 8, 2022 – Attacker enumerates metadata about customer repositories using the stolen tokens.
• April 9, 2022 – Attacker downloads a subset of Heroku private repositories from GitHub

GitHub, last week, characterized the attack as highly targeted, adding the adversary was “only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories.”

Heroku has since revoked all the access tokens and removed support for deploying apps from GitHub through the Heroku Dashboard to ascertain that “the integration is secure before we re-enable this functionality.”