cyber Breach

Heroku

May 8, 2022 1 min read
Heroku

The popular cloud platform, Heroku, had to forcibly reset some user passwords after they were targeted in a security breach.

The hackers obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens by leveraging a compromised token for a Heroku machine account.

Heroku worked with GitHub, threat intelligence vendors, and even law enforcement to investigate the incident.

In response to the incident, Heroku rotated all config var creds, changed passwords, and rotated API Key and 2FA.

Source: https://therecord.media/heroku-breach-salesforce-oauth-github/

TPRM report: https://scoringcyber.rankiteo.com/company/heroku

"id": "her12557522",
"linkid": "heroku",
"type": "Breach",
"date": "05/2022",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of a geographical region"
{'affected_entities': [{'industry': 'Technology',
                        'name': 'Heroku',
                        'type': 'Cloud Platform'}],
 'attack_vector': 'Compromised Token',
 'data_breach': {'data_exfiltration': True,
                 'type_of_data_compromised': 'GitHub integration OAuth tokens'},
 'description': 'Heroku had to forcibly reset some user passwords after they '
                'were targeted in a security breach. Hackers obtained access '
                'to a Heroku database and downloaded stored customer GitHub '
                'integration OAuth tokens by leveraging a compromised token '
                'for a Heroku machine account.',
 'impact': {'data_compromised': 'GitHub integration OAuth tokens',
            'systems_affected': 'Heroku database'},
 'initial_access_broker': {'entry_point': 'Compromised OAuth token'},
 'investigation_status': 'Investigation in progress',
 'post_incident_analysis': {'corrective_actions': ['Rotated all config var '
                                                   'creds',
                                                   'Changed passwords',
                                                   'Rotated API Key and 2FA'],
                            'root_causes': 'Compromised OAuth token for a '
                                           'Heroku machine account'},
 'response': {'law_enforcement_notified': True,
              'remediation_measures': ['Rotated all config var creds',
                                       'Changed passwords',
                                       'Rotated API Key and 2FA'],
              'third_party_assistance': ['GitHub',
                                         'Threat intelligence vendors']},
 'title': 'Heroku Security Breach',
 'type': 'Security Breach',
 'vulnerability_exploited': 'Compromised OAuth token for a Heroku machine '
                            'account'}
Published by
Harshit Kaur Bhatia
Harshit Kaur Bhatia
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.