Salesforce Tower in New York City. Salesforce owns Heroku, which said in that a recent attack that compromised stolen HitHub integration OAuth tokens started on April 7 and by April 9. (By Whoisjohngalt, CC BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0, via Wikimedia Commons)

In a Thursday update to the stolen GitHub integration OAuth tokens case reported last month, Salesforce owned Heroku said the company’s investigation found that the same compromised token that was used in April’s  attack was used to gain access to a database and exfiltrate the hashed and salted passwords of customer user accounts.

Heroku said in a blog post that the original attack started on April 7 and by April 9, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub that contained some Heroku source code.

The researchers said GitHub identified the activity on April 12 and notified Salesforce on April 13, when Heroku started its investigation. By April 16, Heroku revoked all GitHub integration OAuth tokens, which preventing customers from deploying apps on GitHub via the Heroku Dashboard.  

Given the most recent database compromise, Salesforce has ensured that all Heroku user passwords are reset and that potentially affected credentials are refreshed. “We have rotated internal Heroku credentials and put additional detections in place, said the researchers, who added that they are “continuing to investigate the source of the token compromise.”

Credential management of the OAuth tokens was a big driver in this attack, and it’s coincidentally a part of the security recommendations from both GitHub and Heroku, said Corey O’Connor, director of products at DoControl. O’Connor said  in regard to the supply chain attack itself, beyond credential management, it would help to have better visibility across OAuth applications to understand which applications are installed including all sanctioned and unsanctioned apps.

“Event correlation, and extracting the business-context of all activity helps determine what is normal versus what presents risk,” O’Connor said. “Security teams also need to leverage that context and implement automated remediation to help aid in the prevention of unauthorized access to critical systems and applications.”

Craig Lurey, co-founder and CTO at Keeper Security, said stands as the latest in a series of high profile incidents related to malicious actors stealing infrastructure secrets: machine-to-machine credentials that give one system access to another one. Examples: the password for a database or an API certificate.

“The good news is that there’s a solution, secrets management that stores those credentials in a secure vault,” Lurey said. “The system does not have the credentials, they are retrieved at runtime, and not long standing on the systems. The system can confirm the requester is authenticated and is in a specific IP address. This makes it much more difficult for a malicious actor - or an insider threat- to steal a credential. When it comes to user log-ins, we always recommend a vault with unique passwords, and a second factor for any critical accounts. “

Casey Bisson, head of product and developer relations at BluBracket, said the Heroku breach disclosed on April 13 that resulted in theft of both OAuth tokens and the client secrets necessary to use them was very serious. Bisson said the nature of that breach means attackers had access to multiple classes of information stored in different locations, so it’s not surprising that the scope has grown as Heroku's investigation continues.

“Heroku’s communication has been regular and transparent,” Bisson said. “The messaging and actions prioritize customer security and don’t gloss over the unknowns. The Apr 21 update acknowledges the limits of their information, and the likelihood that some services would be unavailable until they resolve the uncertainty and can operate them securely again. It’s a bad situation that raises many questions about Heroku data management practices leading up to the breach. However, I think they deserve credit for their handling of it once it was disclosed to them.”