[ad_1]
Salesforce-owned Heroku is performing a forced password reset on a subset of user accounts in response to last month’s security incident and provides no information as to why they’re doing it, other than vaguely mentioning that it’s to further protect the bills.
Last night, some Heroku users began receiving emails titled ‘Heroku Security Notification: User Account Password Reset May 4, 2022’ stating that passwords would be forcibly reset today in response to the security incident. of last month.
“As part of our efforts to improve our security and in response to an incident posted on status.heroku.com, we want to inform you that we will begin resetting user account passwords on May 4, 2022,” the sent email read. to Heroku. customers.
Heroku also warned that changing the password would invalidate all API access tokens, causing existing automation or applications that depend on the API to stop working until new tokens are generated.
Source: BleepingComputer
This email is related to a security incident that occurred last month when threat actors abused stolen OAuth tokens to download data from private GitHub repositories belonging to dozens of organizations, including npm.
“On April 12, GitHub Security launched an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm,” GitHub revealed. .
These stolen tokens were used by Travis-CI and Heroku OAuth apps to integrate with GitHub to deploy apps.
Using these stolen OAuth tokens, threat actors could access and download data from GitHub repositories belonging to those who authorized the compromised Heroku or Travis CI OAuth apps with their accounts.
Vague answers from Heroku worry customers
When Heroku first disclosed the security incident, it claimed that the unauthorized access was related to GitHub repositories belonging to accounts using its compromised oAuth apps.
With Heroku now forcing password resets, customers are rightfully concerned that their investigation may have uncovered more malicious activity by threat actors than is being disclosed.
In a Ycombinator Hacker News post about the emails, customers believe that Heroku is not being transparent enough about the attack and creating more confusion for customers.
“This is turning into a complete train wreck and a case study in how not to communicate with your customers,” one person posted about the emails.
Another cartel believes that the sudden forced reboots, three weeks after the initial disclosure, mean there is more to the attack than Heroku is revealing.
“There was certainly a breach three weeks ago that they seem to have been looking into ever since. Like the previous commenter, I’m not too sure about their statement, mainly due to the complete lack of transparency so far,” another Hacker News posted. reader.
“The fact that they’re only now sending out additional notifications to rotate credits suggests something bigger than what they initially announced, but we really have no idea as they never gave much detail in the first place.”
When this reporter contacted Heroku support about this incident after receiving an email, Heroku support told me to check their status post.
However, this status post does not contain any information as to why password resets are being performed, and when I pressed the support agent about this, they told me that the support team has no further information.
Also, BleepingComputer doesn’t have any OAuth integration that uses the Heroku or GitHub apps, indicating that these password resets are related to something else.
“I realize this is frustrating and not what you’d like to hear. Our engineering and security teams are working to get a resolution as quickly as possible,” Heroku said.
BleepingComputer also reached out to Heroku’s press contact with questions about the password reset, but has not received a response.
[ad_2]
