Heroku confirms user details were stolen by hackers

News
By published

Theft finally confirmed by Heroku

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

Cloud application platform Heroku has confirmed that the recent cybersecurity incident, in which GitHub integration OAuth tokens were stolen, has led to further compromise, and ended up with customer credentials being stolen.

After some pressure by the community, to provide more clarity surrounding the incident, and why it started sending out password reset emails to its customers, the Salesforce-owned company confirmed that the compromised tokens were used, by unknown thread actors, to obtain hashed and salted passwords, belonging to its customers, from “a database”.

"For this reason, Salesforce is ensuring all Heroku user passwords are reset and potentially affected credentials are refreshed. We have rotated internal Heroku credentials and put additional detections in place. We are continuing to investigate the source of the token compromise,” it said in a security advisory.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Internal databases

The database Heroku is referring to, according to a person previously affiliated with the company, is most likely "core-db”, BleepingComputer found.

Commenting on the news, Craig Kerstiens of PostgreSQL platform CrunchyData, said: "The latest report states about 'a database' which is presumably the internal database. I don't want to speculate too much, but it seems [the attacker] had access to internal systems. GitHub were the ones that detected and noticed it and reported to Heroku. Do not disagree that there should be more clarity, but best to follow up with Salesforce on that."

Read more

> A mystery hacker is smuggling data out of private code repositories, GitHub warns

> OAuth: what you need to know

> OAuth apps are being exploited to launch cyberattacks

But stolen passwords might end up being the least of Heroku’s concerns, as the community has vocally criticized how the company handled the incident, and how it communicated with its users and customers. After the original incident, on April 12, the company started forcing password resets for some of its user accounts, without fully explaining what had happened. 

After almost three weeks, Heroku has given a full explanation, which some readers on YCombinator Hacker News described as “a complete train wreck and a case study on how not to communicate with your customers."

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Google Chrome extensions targeted by hackers to steal user passwords
GrubHub app on a mobile phone
GrubHub reveals massive data breach - customers, drivers, businesses all affected, here's what we know
Avast cybersecurity
Zapier tells customers their data may have been accessed
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
LastPass 2022 hack fallout continues with millions of dollars more reportedly stolen
Shadowed hands on a digital background reaching for a login prompt.
This worrying Git flaw could lead to users leaking credentials
No broadband network
Massive online data breach sees 2.7 billion records leaked - here's what we know
Latest in Security
person at a computer
Many workers are overconfident at spotting phishing attacks
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Latest in News
A man getting angry with his laptop.
Windows 11 bug deletes Copilot from the OS – is this the first glitch ever some users will be happy to encounter?
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung's latest software upgrade could mean Galaxy phones beat iPhones for gaming – but you can't get it yet
person at a computer
Many workers are overconfident at spotting phishing attacks
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
More about security
person at a computer

Many workers are overconfident at spotting phishing attacks
Money

Financial leaders still rely on regular tools like Excel for automation tasks over AI
A man getting angry with his laptop.

Windows 11 bug deletes Copilot from the OS – is this the first glitch ever some users will be happy to encounter?
See more latest
Most Popular
A man getting angry with his laptop.
Windows 11 bug deletes Copilot from the OS – is this the first glitch ever some users will be happy to encounter?
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung's latest software upgrade could mean Galaxy phones beat iPhones for gaming – but you can't get it yet
person at a computer
Many workers are overconfident at spotting phishing attacks
BraX3
This obscure brand wants to launch the most privacy-friendly smartphone ever without Google, but with a mysterious open-source OS at its core
HAMR
Seagate reportedly sold two billion GBs worth of storage to two of the world's largest tech companies
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
Oracle
Bluehost owner is moving to Oracle Cloud, so could thousands of websites be about to migrate?