Cloud application platform Heroku has confirmed that the recent cybersecurity incident, in which GitHub integration OAuth tokens were stolen, has led to further compromise, and ended up with customer credentials (opens in new tab) being stolen.
After some pressure by the community, to provide more clarity surrounding the incident, and why it started sending out password reset emails to its customers, the Salesforce-owned company confirmed that the compromised tokens were used, by unknown thread actors, to obtain hashed and salted passwords (opens in new tab), belonging to its customers, from “a database”.
"For this reason, Salesforce is ensuring all Heroku user passwords are reset and potentially affected credentials are refreshed. We have rotated internal Heroku credentials and put additional detections in place. We are continuing to investigate the source of the token compromise,” it said in a security advisory.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
The database Heroku is referring to, according to a person previously affiliated with the company, is most likely "core-db”, BleepingComputer found.
Commenting on the news, Craig Kerstiens of PostgreSQL platform CrunchyData, said: "The latest report states about 'a database' which is presumably the internal database. I don't want to speculate too much, but it seems [the attacker] had access to internal systems. GitHub were the ones that detected and noticed it and reported to Heroku. Do not disagree that there should be more clarity, but best to follow up with Salesforce on that."
> A mystery hacker is smuggling data out of private code repositories, GitHub warns (opens in new tab)
> OAuth: what you need to know (opens in new tab)
> OAuth apps are being exploited to launch cyberattacks (opens in new tab)
But stolen passwords might end up being the least of Heroku’s concerns, as the community has vocally criticized how the company handled the incident, and how it communicated with its users and customers. After the original incident, on April 12, the company started forcing password resets for some of its user accounts, without fully explaining what had happened.
After almost three weeks, Heroku has given a full explanation, which some readers on YCombinator Hacker News described as “a complete train wreck and a case study on how not to communicate with your customers."
- Stay safe from hackers with the best firewalls around (opens in new tab)
Via: BleepingComputer (opens in new tab)