Heroku discloses that its internal customer database was found to be compromised due to the exploitation of stolen GitHub integration OAuth tokens from last month, after the Salesforce subsidiary attempted to force password reset without revealing any reason in the recent past.

On 4th May, a subset of Heroku users started receiving password reset emails with the subject line Heroku security notification - resetting user account passwords TODAY, May 4, 2022 to reset the passwords along with necessary instructions.

"We wanted to inform you that on May 4, 2022, we will begin resetting user account passwords as part of our efforts to strengthen our security and in response to an incident disclosed on status.heroku.com," said in the email issued to Heroku clients.

However, the compromised OAuth integrations tokens weren't actually the reason behind the customer database breach in order to "exfiltrate the hashed and salted passwords for customers' user accounts," as there are several instances where Heroku or GitHub users without having any OAuth integrations receives the same password reset email which seems unexpected.

While the company also advised that changing the password will invalidate all API access tokens, rendering inoperable any current automation or apps that depend on the API until permits keys are produced.

Why Heroku Initiated Password Reset

According to the previous references highlighted by the PaaS company, which firmly considers the involvement of theft of GitHub OAuth tokens issued to Heroku and Travis-CI and leveraging these tokens to download private GitHub repository data belonging to dozens of organizations, including npm.

On April 12, GitHub Security initiated an investigation into allegations that an attacker " abused stolen OAuth user tokens supplied to two third-party OAuth integrators, Heroku and Travis-CI, to steal data from hundreds of firms, including npm."

Previously, Travis-CI and Heroku OAuth apps utilized these tokens to interact with GitHub for application deployment.

By obtaining these OAuth tokens, threat actors can access and download data from the GitHub repositories of users who approved the hacked Heroku or Travis CI OAuth apps using their accounts. It should be noted that the event did not affect GitHub's infrastructure, services, or private repositories.

However, until today, this did not explain why Heroku would need to reset the passwords of some user accounts.

As it turns out, the compromised token for a Heroku machine account acquired by threat actors also permitted unauthorized access to Heroku's internal customer database:

"Our research indicated that the same compromised token was also used to obtain access to a database and exfiltrate hashed and salted passwords for client user accounts," Heroku adds in an updated security advisory. "As a result, Salesforce resets all Heroku user passwords and refreshes possibly impacted credentials. Internal Heroku credentials have been rotated, and further detections have been implemented. We are still looking into the source of the token compromise's source."

Heroku's Security Disclosure Labeled as 'Train Wreck'

According to Heroku's initial security notification about the issue, the unauthorized access occurred in connection with GitHub repositories belonging to accounts that utilized compromised Heroku OAuth tokens. "The hacked tokens might give access to client GitHub repositories, but not to customer Heroku accounts," the business previously noted.

However, the password reset emails justified consumers' suspicions that Heroku's investigation may have revealed further insights revolving around the newest development of this disclosure.

Heroku has offered some insight on the chain of events, beginning a few hours ago in an effort to be more upfront with the community.

"We embrace transparency and recognize that our customers want a complete picture of the incident's effect and our reaction to date," Heroku states.

Additionally, the cloud platform noted that by collaboration with GitHub, threat intelligence suppliers, industry partners, and law enforcement during the investigation, it had reached a stage where additional material could be provided without jeopardizing the current investigation:

***"On April 7, 2022, a threat actor obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. Access to the environment was gained by leveraging a compromised token for a Heroku machine account. According to GitHub, the threat actor began enumerating metadata about customer repositories with the downloaded OAuth tokens on April 8, 2022. On April 9, 2022, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code.

GitHub identified the activity on April 12, 2022, and notified Salesforce on April 13, 2022, at which time we began our investigation. As a result, on April 16, 2022, we revoked all GitHub integration OAuth tokens, preventing customers from deploying apps from GitHub through the Heroku Dashboard or via automation. We remain committed to ensuring the integration is secure before re-enable this functionality."***

Heroku has subsequently revoked all access tokens and disabled the capability for deploying apps from GitHub via the Heroku Dashboard in order to ensure the "integration is secure" before re-enabling the functionality. And all the Heroku users are directed to continue checking the security notification page for further updates.