On Thursday, Heroku, a Salesforce company, admitted that the theft of GitHub integration OAuth tokens included improper access to an internal client database. According to an updated notification from the company, the hackers used a compromised token to breach the database and exfiltrate the hashed and salted passwords of customers’ accounts.
“On April 7, 2022, a threat actor obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. Access to the environment was gained by leveraging a compromised token for a Heroku machine account. According to GitHub, the threat actor began enumerating metadata about customer repositories with the downloaded OAuth tokens on April 8, 2022. On April 9, 2022, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code,” Heroku further explained.
As a result, Salesforce is changing all Heroku user passwords and ensuring that any credentials that may be compromised are updated. It also said that internal Heroku credentials had been rotated and that further detections had been implemented. According to the attack campaign revealed by GitHub on April 12, an anonymous attacker used stolen OAuth user credentials supplied to two third-party OAuth integrators, Heroku and Travis-CI, to obtain data from hundreds of businesses, including NPM.
The following is the timeline of events as supplied by the cloud platform:
- April 7, 2022: An attacker gains access to a Heroku database and downloads customer OAuth access tokens for GitHub integration.
- April 8, 2022: Using the stolen tokens, the attacker enumerates metadata about customer repositories.
- April 9, 2022: An attacker uses GitHub to download a selection of Heroku private repositories.
Last week, GitHub described the attack as “very focused,” explaining that the attacker was “only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories.” According to the company, Heroku has subsequently revoked all access tokens and disabled the capability for deploying apps from GitHub via the Heroku Dashboard in order to ensure that “the integration is safe before we re-enable this functionality.”