Heroku Admits That Customer Credentials Were Stolen In Cyberattack (bleepingcomputer.com) 4
Heroku has now revealed that the stolen GitHub integration OAuth tokens from last month further led to the compromise of an internal customer database. BleepingComputer reports: The Salesforce-owned cloud platform acknowledged the same compromised token was used by attackers to exfiltrate customers' hashed and salted passwords from "a database." Like many users, we unexpectedly received a password reset email from Heroku, even though BleepingComputer does not have any OAuth integrations that use Heroku apps or GitHub. This indicated that these password resets were related to another matter. [...]
In its quest to be more transparent with the community, Heroku has shed some light on the incident, starting a few hours ago. "We value transparency and understand our customers are seeking a deeper understanding of the impact of this incident and our response to date," says Heroku. The cloud platform further stated that after working with GitHub, threat intel vendors, industry partners and law enforcement during the investigation it had reached a point where more information could be shared without compromising the ongoing investigation:
"On April 7, 2022, a threat actor obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. Access to the environment was gained by leveraging a compromised token for a Heroku machine account. According to GitHub, the threat actor began enumerating metadata about customer repositories with the downloaded OAuth tokens on April 8, 2022. On April 9, 2022, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code. GitHub identified the activity on April 12, 2022, and notified Salesforce on April 13, 2022, at which time we began our investigation. As a result, on April 16, 2022, we revoked all GitHub integration OAuth tokens, preventing customers from deploying apps from GitHub through the Heroku Dashboard or via automation. We remain committed to ensuring the integration is secure before we re-enable this functionality." Heroku users are advised to continue monitoring the security notification page for updates related to the incident.
In its quest to be more transparent with the community, Heroku has shed some light on the incident, starting a few hours ago. "We value transparency and understand our customers are seeking a deeper understanding of the impact of this incident and our response to date," says Heroku. The cloud platform further stated that after working with GitHub, threat intel vendors, industry partners and law enforcement during the investigation it had reached a point where more information could be shared without compromising the ongoing investigation:
"On April 7, 2022, a threat actor obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. Access to the environment was gained by leveraging a compromised token for a Heroku machine account. According to GitHub, the threat actor began enumerating metadata about customer repositories with the downloaded OAuth tokens on April 8, 2022. On April 9, 2022, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code. GitHub identified the activity on April 12, 2022, and notified Salesforce on April 13, 2022, at which time we began our investigation. As a result, on April 16, 2022, we revoked all GitHub integration OAuth tokens, preventing customers from deploying apps from GitHub through the Heroku Dashboard or via automation. We remain committed to ensuring the integration is secure before we re-enable this functionality." Heroku users are advised to continue monitoring the security notification page for updates related to the incident.
OAuth needs to die a fiery death (Score:2)
Access delegation man... The perfect recipe for one breach to propagate without the user knowing.
Again, this is technology designed to give people who can't be bothered to take any sort of interest in their own computer security have a smooth experience when they patronize their favority Big Data-owned websites.
And anyway, just look who's behind OAuth: Amazon, Facebook, Google, Microsoft... Do I want those privacy-invading mastodonts accessing one another's information about me without supplying my own cre
Re: (Score:1)
Re: OAuth needs to die a fiery death (Score:2)
Sometimes it is necessary to authenticate between services.
However this is a problem on both Heroku and GitHubâ(TM)s side, permissions should be a lot more granular and have restrictions such as IP or domain ranges it can be used with which kind of goes back to letting customers run their own infrastructure instead of *.Google.com or *.amazon.com