On Thursday Heroku disclosed that users’ passwords were stolen during a cyberattack that occurred a month ago, confirming that the attack also involved the code repository GitHub. Heroku revealed that the stolen GitHub integration OAuth tokens from last month further led to the compromise of an internal customer database.
Following the attack, the organization has notified its customer that the company is going to reset their passwords on May 4 unless they change passwords beforehand. In this process, the company has also warned its users that the existing API access tokens will also be inactive and new ones have to be generated for future work.
"We appreciate your collaboration and trust as we continue to make your success our top priority. The initial detection related to this campaign occurred on April 12 when GitHub Security identified unauthorized access to our npm production infrastructure using a compromised AWS API key," GitHub said.
"Based on subsequent analysis, we believe this API key was obtained by the attacker when they downloaded a set of private npm repositories using a stolen OAuth token from one of the two affected third-party OAuth applications described above."
The attack in question relates to the theft of OAuth tokens that GitHub saw in April, which impacted four OAuth applications related to Heroku Dashboard and one from Travis CI.
By stealing these OAuth tokens, malicious actors could access and download data from GitHub repositories belonging to those who authorized the compromised Heroku or Travis CI OAuth apps with their accounts. However, GitHub’s infrastructure, private repositories, and systems themselves were not impacted by the attack.
While reporting that they had informed Heroku and Travis-CI of the incident on April 13 and 14, GitHub said, it "contacted Heroku and Travis-CI to request that they initiate their own security investigations, revoke all OAuth user tokens associated with the affected applications, and begin work to notify their own users."