Heroku has now revealed that the stolen GitHub integration OAuth tokens from last month further led to the compromise of an internal customer database.
Like many users, we unexpectedly received a password reset email from Heroku, even though BleepingComputer does not have any OAuth integrations that use Heroku apps or GitHub.
“On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm,” GitHub had previously disclosed.
“For this reason, Salesforce is ensuring all Heroku user passwords are reset and potentially affected credentials are refreshed. We have rotated internal Heroku credentials and put additional detections in place. We are continuing to investigate the source of the token compromise.”
“The compromised tokens could provide the threat actor access to customer GitHub repos, but not customer Heroku accounts,” the company had previously stated.
“On April 7, 2022, a threat actor obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. Access to the environment was gained by leveraging a compromised token for a Heroku machine account. According to GitHub, the threat actor began enumerating metadata about customer repositories with the downloaded OAuth tokens on April 8, 2022. On April 9, 2022, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code.”GitHub identified the activity on April 12, 2022, and notified Salesforce on April 13, 2022, at which time we began our investigation.