Last month, we shared the details of the hacking incident that happened on the 12th of April and ended up with the data extraction from private repositories in GitHub, because of stolen OAuth user tokens. After the incident, GitHub stated that those OAuth tokens were stolen through Heroku and Travis CI. Now, Heroku admits their customer credentials are also stolen.
Resets all users’ passwords and APIs
The cloud platform company Heroku started sending e-mails to its customers regarding forced password reset and API token invalidation actions. However, the company did not inform the customers about its reason. After some pressure from the customers, the company finally admitted that they have their internal customer database breached as well, thanks to the OAuth token that was stolen last month.
« Our investigation also revealed that the same compromised token was leveraged to gain access to a database and exfiltrate the hashed and salted passwords for customers’ user accounts »
The customers of Heroku were not happy with the answer since the company said “The compromised tokens could provide the threat actor access to customer GitHub repositories, but not customer Heroku accounts” last month. It turns out, they actually could.