Hack investigation blames compromised token for breach

Heroku resets user passwords after concluding April cyber-attack ran deep

A recently disclosed cyber-attack against Heroku that involved GitHub may be far more severe than first suspected.

Heroku, the Salesforce-owned cloud application platform, began the forced reset of user passwords on May 4.

In the early hours of Thursday (May 5), Heroku published an update implying that the as-yet unidentified attackers accessed data from its core database as a result of the attack.

The incident, previously disclosed on April 15, led to the exposure of GitHub integration OAuth tokens. This was the topic of a separate update by GitHub last week.

RELATED GitHub offers post-mortem on recent security breach

These credentials were exposed as a result of a successful attack against Heroku, as the cloud firm’s latest update explains:

On April 7, 2022, a threat actor gained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. Access to the environment was achieved by leveraging a compromised token for a Heroku machine account.

Compromised tokens

Evidence suggests the attacker was able to use metadata to link customer repositories with OAuth tokens before the attacker “downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code”.

This element of the attack, which took place on April 9, was detected by GitHub on April 12 and notified to Heroku a day later.

Read more of the latest hacking news

In response, Heroku launched an investigation that quickly resulted in the “revocation of all GitHub integration OAuth tokens, preventing customers from deploying apps from GitHub through the Heroku dashboard or via automation”.

In the latest development, Heroku’s ongoing investigation has revealed that the compromised token for a Heroku machine account enabled attackers to “gain access to a database and exfiltrate the hashed and salted passwords for customers’ user accounts”.

Password reset

This discovery precipitated the reset of a subset of Heroku customer passwords this week.

“Salesforce is ensuring all Heroku user passwords are reset and potentially affected credentials are refreshed,” Heroku’s update concluded.

“We have rotated internal Heroku credentials and put additional detections in place. We are continuing to investigate the source of the token compromise.”

The Daily Swig asked Heroku to confirm the root cause of the breach and to outline how many accounts were potentially affected. We’ll update this story as and when more information comes to hand.

DON’T FORGET TO READ India to introduce six-hour data breach notification rule