Posted on May 6, 2022 at 5:33 PM
Heroku Resets Customers’ Passwords Following Hacking Attack
Salesforce-owned Heroku recently carried out a reset of user passwords in response to the hacking incident on its platform last month. The platform mentioned earlier that the exercise was necessary as a way of securing the accounts from further exposure.
Users Have Received Password Change Notification
Users of the platform have started receiving emails to enable them to reset their passwords. In the email, titled ‘Heroku security information, it mentioned that passwords would be forcibly reset today as a measure to protect user accounts.
“As part of our efforts to enhance our security and in response to an incident published on status.heroku.com,
“We wanted to inform you that we will begin resetting user account passwords on May 4, 2022,” the email reads, adding that it is part of the company’s measures to offer stronger protection in response to the recent attack.
Heroku also stated that once the password is changed, it would invalidate all the API access tokens. This will cause affect the existing application that depends on the API. They would no longer be useful until new tokens are generated, the email noted.
Last month, threat actors abused the stolen OAuth tokens and downloaded data from private GitHub repositories belonging to npm and several other organizations.
Github’s Security started an investigation into the incident on April 12, uncovering evidence that a threat actor stole OAuth user tokens. They were issued to two third-party integrators – Travis CI and Heroku- and integrated with GitHub to deploy applications.
With the stolen tokens, the attackers could easily access and download data from GitHub repositories from those that authorized the compromised Travis CI or Heroku OAuth apps with their accounts.
Heroku’s Initial Response Was Vague
At the discovery of the incident, Heroku’s initial response wasn’t satisfactory to customers. The firm informed customers that the leak was from GitHub repositories belonging to accounts that utilized their compromised OAuth applications.
As the company is now forcing a password reset, some customers have expressed concerns that their investigation of the incident may have revealed more malicious activities the platform is deliberately trying to cover.
Generally, when customers are forced to reset their passwords after a hacking incident, it is more likely that the impact of the attack may be massive if such precaution is not taken. As of the time of writing, Herok has not disclosed the level of impact of the attack, and customers are left concerned.
Customers Showed Concern Regarding The Breach
Some of the platform’s customers have gone to various forums and social media platforms to allege that Heroku is not being transparent about the incident and is creating confusion for customers.
“This is turning into a complete train wreck and a case study on how not to communicate with your customers,” a customer posted at a Ycombinator Hacker News.
Another user believes that the action taken by Heroku to force reset on customers’ passwords is a strong indication that there is more to the attack than the company is letting out. The user added that the forced reset is coming three weeks after the attack, which is enough to know that something is up.
Another Hacker News reader posted that there is surely a breach three weeks ago, which the firm has been investigating since. The user noted that it appears the investigation has revealed something they are not comfortable sharing with customers. Many other users also commented and expressed their displeasure with the lack of transparency shown by Heroku while dealing with the hacking incident.
Heroku Explains Why Password Reset Notification Was Sent
In response to several complaints from customers, Heroku has explained why it decided to send password reset notifications to users. The platform stated that its investigation showed that the same stolen token was used to access a database. It further noted that it was used to exfiltrate the hashed and salted passwords for customers’ user accounts.
As a result, Salesforce wants to make sure that all Heroku user accounts are reset while potentially affected credentials are refreshed. Additionally, Heroku said it has not concluded its investigation yet. The platform noted that more details will be made available through the right channels if any other information is discovered. The firm said apart from the password reset, more security measures have been put in place to ensure that customers are protected against any further impact.