Heroku disclosed on Thursday that customer passwords were stolen during a cyberattack that took place a month ago, acknowledging that an incident that also involved code repository GitHub was worse than initially indicated.
Heroku initially revealed on April 15 that a threat actor had likely accessed Heroku's GitHub account using a stolen authorization token, or OAuth token, and downloaded certain private Heroku repositories on April 9. The download included "some" Heroku source code, according to the disclosure.
In an update posted Wednesday evening, Heroku said the attacker actually gained access to a Heroku database on April 7, and downloaded GitHub integration OAuth tokens belonging to customers at the time. Heroku, owned by Salesforce, is a widely used platform for building, running and operating applications, and touts on its website that it has been used to develop 13 million apps.
"Access to the environment was gained by leveraging a compromised token for a Heroku machine account," Heroku said in the update. Most concerning for customers: Heroku said the investigation into the incident found that the compromised token was used by the attacker to steal hashed and salted passwords for user accounts belonging to customers.
"For this reason, Salesforce is ensuring all Heroku user passwords are reset and potentially affected credentials are refreshed. We have rotated internal Heroku credentials and put additional detections in place," Heroku said.
The update did not specify how many customers or user accounts may have been impacted, or explain why details about stolen customer passwords are only being disclosed now.
"Nothing is more important to us than the security of customer data. We value transparency and, without compromising our ongoing investigation, we shared the additional details on the status page that may facilitate a deeper understanding for our customers of this issue. We continue to work diligently in response to this incident and have no further comment at this time," Salesforce said in a statement.
This week, Heroku began resetting user passwords, but did not provide customers with the reason beyond citing that the action was related to last month's security incident.
On Wednesday, GitHub announced that it will require developers who contribute code to the repository to use two-factor authentication by the end of 2023, and enterprise customers will also be able to require the use of two-factor authentication to access their repositories. Two-factor authentication helps protect customers and users against password breaches.
This story was updated to include a statement from Salesforce.