Heroku fesses up to customer password theft due to OAuth token attack

1651803685 login password

Heroku explained why it emailed users with a sudden password reset warning earlier this week, and how it was due to the theft of OAuth tokens from GitHub.

“[Our investigation] revealed that the same compromised token was being used to access a database and exfiltrate hashed and salted passwords from customer user accounts,” the company said in its incident notification.

“For this reason, Salesforce ensures that all Heroku user passwords are reset and potentially affected credentials are refreshed. We have rotated internal Heroku credentials and implemented detections We are continuing to investigate the source of the token compromise.”

The company also said an attacker first gained access on April 7, two days before the first attack date made public by Heroku or GitHub.

“On April 7, 2022, a malicious actor gained access to a Heroku database and downloaded stored client GitHub integration OAuth tokens. Access to the environment was gained by exploiting a compromised token for a Heroku machine account,” he said.

“According to GitHub, the threat actor began enumerating metadata on client repositories with OAuth tokens uploaded on April 8, 2022. On April 9, 2022, the attacker uploaded a subset of the private Heroku GitHub repositories to from GitHub, containing Heroku source code.

GitHub noticed the activity on April 12, with a notification from GitHub landing on April 13, and Heroku revoking all GitHub integration OAuth tokens three days later.

“We appreciate the transparency and understand that our customers are seeking a deeper understanding of the impact of this incident and our response to date,” the company said at the top of the incident notification page which has been running since 15 april.

Heroku has previously stated that he will not reconnect to GitHub until he is sure he is safe to do so.

This week, GitHub said it would mandate the use of multi-factor authentication by the end of 2023.

Related coverage

Source link

READ MORE:  It's World Password Day! Here's the one simple tip you need to keep your accounts secure online

Leave a Comment