HomeTechnologyNewsHeroku admits to hacking customer database after OAuth token theft

Heroku admits to hacking customer database after OAuth token theft

- Advertisement -
- Advertisement -
- Advertisement -
- Advertisement -

[ad_1]

Heroku has now revealed that stolen GitHub integration OAuth tokens last month further led to the compromise of an internal customer database.

The Salesforce-owned cloud platform acknowledged that attackers used the same compromised token to leak encrypted and salted customer passwords from “a database.”

The Heroku update comes after BleepingComputer contacted Salesforce yesterday.

Like many users, we unexpectedly received a password reset email from Heroku, even though BleepingComputer doesn’t have any OAuth integration that uses Heroku or GitHub apps. This indicated that these password resets were related to something else.

Heroku explains forced password resets

This week, Heroku began performing forced password resets for a subset of its user accounts after last month’s security incident, without fully explaining why.

On Tuesday night, some Heroku users received emails titled “Heroku Security Notification: User Account Password Reset May 4, 2022,” informing users that their account passwords were being reset in security incident response. The reset would also invalidate all API access tokens and require users to generate new ones, the email explained.

But, the original security incident referenced involved threat actors stealing OAuth tokens issued to Heroku and Travis-CI and abusing them to download data from private GitHub repositories belonging to dozens of organizations, including npm.

“On April 12, GitHub Security launched an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm,” GitHub said. previously disclosed.

These tokens had previously been used by Travis-CI and Heroku OAuth apps to integrate with GitHub to deploy apps.

By stealing these OAuth tokens, threat actors could access and download data from GitHub repositories belonging to those who authorized the compromised Heroku or Travis CI OAuth apps with their accounts. Please note that GitHub’s private infrastructure, systems, or repositories were not affected by the incident.

But that still didn’t explain why Heroku would need to reset some user account passwords, until now.

It turns out that the compromised token for a Heroku machine account obtained by threat actors also allowed unauthorized access to Heroku’s internal database of customer accounts:

“Our investigation also revealed that the same compromised token was leveraged to gain access to a database and leak the salted and encrypted passwords of customer user accounts,” Heroku explains in an updated security notification.

“For this reason, Salesforce ensures that all Heroku user passwords are reset and potentially affected credentials are updated. We have rotated internal Heroku credentials and implemented additional detections. We are continuing to investigate the source of the token compromise.” .

A YCombinator Hacker News reader alleged that the referenced “database” might be what was once called “core-db”.

The reader in question seems to be craig kerstiens