Heroku Forces User Password Resets but Fails to Explain Why
Salesforce-owned Heroku is performing a forced password reset on a subset of user accounts in response to last month’s security incident while providing no information as to why they are doing so other than vaguely mentioning it is to further secure accounts.
Last night, some Heroku users began receiving emails titled ‘Heroku security notification – resetting user account passwords on May 4, 2022’ stating that passwords would be forcibly reset today in response to last month’s security incident.
“As part of our efforts to enhance our security and in response to an incident published on status.heroku.com, we wanted to inform you that we will begin resetting user account passwords on May 4, 2022,” read the email sent to Heroku customers.
Heroku also warned that changing the password would invalidate all API access tokens, causing existing automation or applications that rely on the API to no longer work until new tokens are generated.
This email is related to a security incident that occurred last month when threat actors abused stolen OAuth tokens to download data from private GitHub repositories belonging to dozens of organizations, including npm.
“On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm,” disclosed GitHub.
These stolen tokens were used by Travis-CI and Heroku OAuth applications to integrate with GitHub to deploy applications.
Using these stolen OAuth tokens, threat actors could access and download data from GitHub repositories belonging to those who authorized the compromised Heroku or Travis CI OAuth apps with their accounts.
Heroku’s vague responses concern customers
When Heroku first disclosed the security incident, they stated that the unauthorized access was related to GitHub repositories belonging to accounts that used their compromised oAuth applications.
With Heroku now forcing password resets, customers are rightfully concerned that their investigation may have uncovered further malicious activity by the threat actors that is not being disclosed.
In a Ycombinator Hacker News post about the emails, customers believe that Heroku is not being transparent enough about the attack and creating further confusing for customers.
“This is turning into a complete train wreck and a case study on how not to communicate with your customers,” a person posted about the emails.
Another poster believes that the sudden forced resets, three weeks after the initial disclosure, means that there is more to the attack than Heroku is disclosing.
“There was certainly a breach three weeks ago that they seem to have been investigating since. I am, like the commenter above, not filled with confidence about their statement, mostly because of the total lack of transparency so far,” posted another Hacker News reader.
“The fact they’re only now sending additional notifications to rotate creds hints at something bigger than they initially announced, but really we have no idea since they never gave much detail in the first place.”
When this reporter reached out to Heroku support about this incident after receiving an email, Heroku support told me to refer to their status post.
However, this status post does not contain any information as to why password resets are being conducted, and when I pressed the support agent about this, I was told that the support team does not have any further information.
Furthermore, BleepingComputer does not have any OAuth integrations using Heroku apps or GitHub, indicating that these passwords resets are related to something else.
“I realize this is frustrating and not what you’d like to hear. Our engineering and security teams are working towards a resolution as quickly as possible,” Heroku said.
BleepingComputer also reached out to Heroku’s press contact with questions regarding the password reset but has not heard back.