A security incident affecting Heroku systems began on April 7, 2022, when a threat actor gained unauthorized access to a Heroku database. The actor subsequently obtained customer GitHub integration OAuth tokens and downloaded Heroku’s private GitHub repositories between April 8 and April 9, 2022. GitHub notified Salesforce of a potential security issue on April 13, 2022, prompting an immediate investigation by Heroku.

The unauthorized access was identified as a supply-chain type attack, with the initial compromise stemming from a token for a Heroku machine account found in an archived private GitHub repository via a third-party integration. The threat actor exfiltrated customer GitHub integration OAuth tokens, Heroku’s private GitHub repositories, customer account usernames and hashed/salted passwords, and pipeline-level config vars for Review Apps and Heroku CI.

Customer impact included the potential compromise of private GitHub repositories and the exfiltration of sensitive account data. Heroku notified affected customers, revoked existing GitHub integration tokens, and mandated a password rotation for customer accounts due to the exfiltration of hashed and salted passwords, especially for those without multi-factor authentication enabled. These actions, while critical for security, caused some inconvenience to customers.

Heroku took swift containment actions, disabling compromised OAuth tokens and GitHub accounts within hours of notification. Further remediation included revoking all existing GitHub integration tokens, preventing new token creation, placing restrictions on token permissions and database access, and implementing a production moratorium. They also rotated critical credentials, engaged third-party incident response and threat intelligence partners, and installed enhanced threat detection tools.

Through these diligent efforts, Heroku effectively disrupted the threat actor’s infrastructure, with no evidence of unauthorized access since April 14, 2022. The investigation concluded on May 30, 2022, leading to significant improvements in Heroku’s security posture and ongoing efforts to strengthen defenses against evolving threats.