Heroku to begin user password reset almost a month after GitHub OAuth token theft

Heroku users urged to change password now before company does so, and notes it will wipe out all API access tokens.
Written by Chris Duckett, Contributor

Heroku has alerted a "subset" of its users that it is going to reset their passwords on May 4 unless they change passwords beforehand. In resetting the password, the company is warning that existing API access tokens will also be useless, and new ones will need to be generated.

Publicly, the company has only said "a subset" of its customers would be emailed "regarding our continuous efforts to enhance security".

"We appreciate your collaboration and trust as we continue to make your success our top priority," it said on a security incident notification that has been running for 18 days and counting.

The incident in question relates to a theft of OAuth tokens that GitHub saw in April, which impacted four OAuth applications related to Heroku Dashboard and one from Travis CI.

"The initial detection related to this campaign occurred on April 12 when GitHub Security identified unauthorised access to our npm production infrastructure using a compromised AWS API key," GitHub said.

"Based on subsequent analysis, we believe this API key was obtained by the attacker when they downloaded a set of private npm repositories using a stolen OAuth token from one of the two affected third-party OAuth applications described above."

GitHub said it informed Heroku and Travis-CI of the incident on April 13 and 14.

"GitHub contacted Heroku and Travis-CI to request that they initiate their own security investigations, revoke all OAuth user tokens associated with the affected applications, and begin work to notify their own users," it said.

By April 27, GitHub said it was sending out its final notifications to impacted customers, and said the attackers used the stolen OAuth tokens issued to Heroku and Travis CI to list user organisations before choosing targets, and cloning private repositories.

"This pattern of behaviour suggests the attacker was only listing organisations in order to identify accounts to selectively target for listing and downloading private repositories," GitHub said.

"GitHub believes these attacks were highly targeted based on the available information and our analysis of the attacker behaviour using the compromised OAuth tokens issued to Travis CI and Heroku."

For its part, Heroku said in its incident page that it was alerted on April 13 that a subset of its private repositories and source code was downloaded on April 9, before it revoked tokens from the Heroku GitHub integration, and said on April 23 that the integration would stay down.

"We take the protection of our customers very seriously, and as a result, we will not be reconnecting to GitHub until we are certain that we can do so safely, which may take some time. We recommend that customers use alternate methods rather than waiting for us to restore this integration," Heroku said.

Since that time until Tuesday, the Salesforce-owned company has been making almost daily updates simply stating the investigation is ongoing and asking customers to send them logs from GitHub.

Related Coverage

Editorial standards