Heroku has had the passwords of all of its user accounts changed. The move comes about a month after the company’s OAuth tokens were stolen.
Cloud platform Heroku has asked its users to change their passwords before the company resets them itself. API tokens will also expire, so apps running on the platform may no longer work until a new token is created. According to Heroku itself, it is a response from the PaaS vendor to a “security incident” in which some of the user accounts were compromised.
However, that incident happened almost a month ago. In April, OAuth tokens from Heroku and another company, Travis CI, were stolen, GitHub said in a security report. Those authentication tokens allowed attackers to download data from GitHub from various organizations.
GitHub reported that to its own customers as well as Heroku in mid-April. Still, the latter apparently failed to understand or clearly communicate the magnitude of the leak for several weeks. In addition, the cloud provider says in its own investigation that attackers could also reach Heroku’s own GitHub repositories (code databases) and possibly get their hands on source code from the platform.
The incident also allegedly stolen (hashed) user passwords. Therefore, passwords for all accounts are now being recovered at the request of Salesforce, which owns Heroku.