Salesforce platform-as-a-service provider Heroku has revealed that the April hack, which saw OAuth tokens for Microsoft Github integration downloaded by a threat actor, went further than initally thought, with customer passwords exfiltrated as well.
Heroku this week forced resets for user passwords, and also disabled application programming interface (API) access tokens, but at the time did not say why.
The password reset was thought to be brought on by the early April hack, and Heroku has now said this is the case.
"Separately, our investigation also revealed that the same compromised token was leveraged to gain access to a database and exfiltrate the hashed and salted passwords for customers’ user accounts," Heroku said.
"For this reason, Salesforce is ensuring all Heroku user passwords are reset and potentially affected credentials are refreshed.
"We have rotated internal Heroku credentials and put additional detections in place," the PaaS provider added.
this is incredibly serious, everyone who is using Heroku, or who has in the past, should read up on this thread. https://t.co/k9xj91gPAW— anildash (@anildash) May 5, 2022
At the time of writing, the threat actor behind the compromise is not known, but Heroku said its investigation continues.