Heroku has explained why it emailed users with a sudden password reset warning earlier this week, and how it was due to the theft of OAuth tokens from GitHub.
"[Our investigation] revealed that the same compromised token was leveraged to gain access to a database and exfiltrate the hashed and salted passwords for customers' user accounts," the company said in its incident notification.
"For this reason, Salesforce is ensuring all Heroku user passwords are reset and potentially affected credentials are refreshed. We have rotated internal Heroku credentials and put additional detections in place. We are continuing to investigate the source of the token compromise."
The company also said an attacker first gained access on April 7, two days before the previous earliest date of the attack made public by either Heroku or GitHub.
"On April 7, 2022, a threat actor obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. Access to the environment was gained by leveraging a compromised token for a Heroku machine account," it said.
"According to GitHub, the threat actor began enumerating metadata about customer repositories with the downloaded OAuth tokens on April 8, 2022. On April 9, 2022, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code."
GitHub noticed the activity on April 12, with a notification from GitHub landing on April 13, and Heroku revoking all GitHub integration OAuth tokens three days later.
"We value transparency and understand our customers are seeking a deeper understanding of the impact of this incident and our response to date," the company said at the top of the incident notification page that has been running since April 15.
Heroku has previously said it would not be reconnecting to GitHub until it was certain it was safe to do so.
This week, GitHub said it would be mandating the use of multi-factor authentication by end of 2023.