Connect with us


Heroku acknowledges that a hack resulted in the theft of user credentials.



Heroku acknowledges that a hack resulted

The GitHub integration OAuth tokens that were taken last month also contributed to the vulnerability of an internal client database, according to a recent statement from Heroku.

The cloud platform, which is owned by Salesforce, confirmed that the same stolen token was utilised by attackers to steal client credentials that had been hashed and salted from “a database.”

Following yesterday’s contact between BleepingComputer and Salesforce, Heroku released an update.

Even though BleepingComputer doesn’t have any OAuth connections that leverage Heroku applications or GitHub, we suddenly received a password reset email from Heroku, like many other customers. This suggested that there was another reason for these password resets.

Forced password resets are explained by Heroku.

Following the security breach from last month, Heroku began this week forcing password changes for a portion of its user accounts without providing a detailed justification.

Some Heroku users got emails on Tuesday evening informing them that their account passwords will be changed as a result of the security breach, with the subject line “Heroku security notification – changing user account passwords on May 4, 2022.” The email noted that the reset will also invalidate all API access tokens and force users to create new ones.

However, the initial security problem being discussed involves threat actors obtaining OAuth tokens given to Heroku and Travis-CI and utilising them to retrieve data from secure GitHub repositories belonging to a variety of companies, including npm.

According to a previous statement from GitHub, “On April 12, GitHub Security started an investigation that uncovered evidence that an attacker exploited stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organisations, including npm.”

These tokens have previously been used by the OAuth integrations of the Travis-CI and Heroku platforms to link with GitHub and release apps.

Threat actors might access and download data from GitHub repositories belonging to users who gave their accounts permission to the stolen Heroku or Travis CI OAuth applications by stealing these OAuth tokens. Notably, the issue had no effect on GitHub’s infrastructure, processes, or private repositories.

But up until this point, it was still unclear why Heroku would need to reset some user account passwords.

It turns out that threat actors were able to access Heroku’s internal database of client accounts using the compromised token for a Heroku machine account:

Heroku updates its security warning: “Our research also discovered that the same compromised token was used to access a database and exfiltrate the hashed and salted passwords for users’ accounts.”

“Because of this, Salesforce is making sure that all Heroku user passwords are changed and that any potentially vulnerable credentials are updated. We have added more detections and rotated internal Heroku credentials. We are still looking into the token compromise’s origin.”

A reader of YCombinator Hacker News suggested that the “database” being discussed could be what was once known as “core-db.”

Craig Kerstiens of the PostgreSQL platform CrunchyData, a former employee of Heroku, is the reader in question.

According to Kerstiens, the internal database is referenced in the most recent report as “a database.”

“It appears [the attacker] had access to internal systems, but I don’t want to guess too much. It was discovered, noted, and reported to Heroku by GitHub. You can’t argue against the need for further clarification, but it would be wise to follow up with Salesforce on that.”

Clients refer to ambiguous disclosure as a “train crash.”

In its first statement about the security breach, Heroku said that accounts using compromised OAuth tokens from Heroku had exploited GitHub repositories to gain illegal access.

The business has previously said that “The compromised tokens might provide the threat actor access to client GitHub repos, but not customer Heroku accounts.”

However, the password reset emails legitimately raised consumer worries that Heroku’s investigation could have turned up further harmful conduct by the threat actors that wasn’t being made public.

The revelation was termed “a total train wreck and a case study on how not to interact with your consumers,” by some YCombinator Hacker News readers.

Heroku has started to shed some light on the issue in an effort to be more open with the community.

According to Heroku, “We embrace transparency and recognise that our customers are looking for a better understanding of the implications of this event and our reaction thus far.”

The cloud platform said that it had reached a stage where additional material could be disclosed without jeopardising the current investigation after cooperating with GitHub, threat intelligence suppliers, industry partners, and law enforcement during the inquiry:

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

9 − eight =


What is faze save kidshaywarddecrypt?




faze save kidshaywarddecrypt

“Faze Save Kidshaywarddecrypt” likely refers to a meme or joke within the gaming community.

Esports faze save

“Faze Clan” is a professional esports and entertainment organization, primarily known for their presence in the Call of Duty and Counter-Strike: Global Offensive scenes. “Faze Save” could refer to a clutch play or a significant moment in a match where a player from the Faze Clan saved the round for their team. However, without more context, it’s difficult to determine the specific meaning of “Faze Save.”

Several players of the popular esports FaZe clan were suspended recently for promoting a controversial cryptocurrency called Save The Kids. Save The Kids was advertised as an alternative to Dogecoin and Etherium, and it promised to donate a portion of the proceeds to a charity. The controversy caused a huge backlash from fans, who slammed the clan for its shady business practices.

The members of FaZe Clan have denied being involved with the scheme, but anyone found to be involved in the scheme could face serious consequences. FaZe Clan’s reputation could be ruined, and potential sponsors could be discouraged from working with the group.

Faze clan save

“Faze Clan Save” could refer to a clutch play or a significant moment in a match where a player from the Faze Clan saved the round for their team. It might be used to describe a play that was critical to the outcome of a match and helped secure a win for Faze Clan.

faze save the kids

“Save the Kids” is a phrase that has become popular in internet culture and is often used as a hashtag or meme. The exact meaning of “Save the Kids” varies depending on the context, but it generally refers to a call to action or a show of support for a cause, often related to children’s rights, safety, or well-being.

In the context of “Faze Save the Kids”, it’s possible that it is a reference to the Faze Clan supporting the “Save the Kids” cause or using the phrase as a rallying cry within the gaming community. However, without more context, it is difficult to determine the exact meaning.

Continue Reading


Sources:On Monday, Facebook will reveal a range of music products, such as a Clubhouse-like app, a podcast discovery service integrated with Spotify, and more. (Vox, Peter Kafka)



sources monday spotifykafkavox

Sources:On Monday, Facebook will reveal a range of music products, such as a Clubhouse-like app, a podcast discovery service integrated with Spotify, and more. (Vox, Peter Kafka)

Peter Kafka / Vox:

Several audio products, including a Clubhouse-like app, a podcast finding service integrated with Spotify, and more, will be unveiled by Facebook on Monday, according to sources. On Monday, there will be announcements, although some things won’t be available for some time. — Facebook wants you to start communicating with others on the site.

Continue Reading


ByteDance’s founder Zhang Yiming steps down as Executive Chairman



Zhang Yiming
The founder of TikTok’s parent company ByteDance founder Zhang Yiming has stepped down as chairman after announcing last May he was resigning as CEO and moving into a strategy role. New CEO Liang Rubo has taken over as chairman of the company’s board. The news comes shortly after the company announced a major organisational reshuffle at ByteDance to create six separate business units.
Continue Reading