Cloud application platform Heroku has confirmed that the recent cybersecurity incident, in which GitHub integration OAuth tokens were stolen, led to further compromises and resulted in the theft of user information. identification of customers.
After some pressure from the community, to further clarify the incident and why it started sending password reset emails to its customers, the Salesforce-owned company confirmed that the Compromised tokens were used, by unknown thread actors, to obtain hashed information and salted passwords, belonging to its customers, from “a database”.
“For this reason, Salesforce is ensuring that all Heroku user passwords are reset and potentially affected credentials are refreshed. We’ve rotated internal Heroku credentials and implemented additional detections. a safety notice.
The database Heroku is referring to, according to someone previously affiliated with the company, is most likely “core-db”, BeepComputer found.
Commenting on the news, Craig Kerstiens of PostgreSQL CrunchyData platform said: “The latest report talks about ‘a database’ which is presumably the internal database. I don’t want to speculate too much, but it seems [the attacker] had access to internal systems. It was GitHub that detected and noticed it and reported it to Heroku. Don’t disagree that there should be more clarity, but better follow up with Salesforce on this.”
But stolen passwords could end up being the least of Heroku’s concerns, as the community has been highly critical of the company’s handling of the incident and how it communicated with its users and customers. After the initial incident, on April 12, the company began force-resetting passwords for some of its user accounts, without fully explaining what happened.
After almost three weeks, Heroku gave a full explanation, which some YCombinator Hacker News readers described as “a complete train wreck and a case study in how not to communicate with your customers.”