Heroku Forces User Password Resets

Salesforce-owned subsidiary Heroku on Thursday acknowledged that the theft of GitHub integration OAuth tokens further involved unauthorized access to an internal customer database.

The company, in an updated notification, revealed that a compromised token was abused to breach the database and "exfiltrate the hashed and salted passwords for customers' user accounts."

As a consequence, Salesforce said it's resetting all Heroku user passwords and ensuring that potentially affected credentials are refreshed. It also emphasized that internal Heroku credentials were rotated and extra detections have been put in place.


The attack campaign, which GitHub discovered on April 12, related to an unidentified actor leveraging stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM.

The timeline of events as shared by the cloud platform is as follows -

  • April 7, 2022 - Threat actor obtains access to a Heroku database and downloads stored customer OAuth access tokens used for GitHub integration.
  • April 8, 2022 - Attacker enumerates metadata about customer repositories using the stolen tokens.
  • April 9, 2022 - Attacker downloads a subset of Heroku private repositories from GitHub

GitHub, last week, characterized the attack as highly targeted, adding the adversary was "only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories."


Heroku has since revoked all the access tokens and removed support for deploying apps from GitHub through the Heroku Dashboard to ascertain that "the integration is secure before we re-enable this functionality."

Update: Heroku, in a follow-up alert, said on Friday it had completed the "necessary password resets" and that it did not find evidence of unauthorized access to its systems after April 14, 2022. It also said that it plans to reinstate GitHub integration "in the next several weeks."

"While we confirmed that the threat actor had access to encrypted Heroku customer secrets stored in config var, the secrets are encrypted at rest and the threat actor did not access the encryption key necessary to decrypt config var secrets," the company noted.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.