Heroku—a cloud platform as a service (PaaS)—has disclosed a recent security incident in the form of a cyberattack that took place April 9th, 2022. This attack involving token compromise was more severe than initially thought so they began forcing user password resets in an attempt to minimize impact.
The Heroku breach involved the exposure of OAuth tokens for GitHub integrations. And once a hacker can access tokens, they are likely granted access to the system at large. Heroku has implied this breach provided the attacker access to data from their core database.
The attacker was able to gain access to Heroku’s system through “a compromised token for a Heroku machine account.”
What The Heroku Breach Means for Cloud Users
Some GitHub users on the Heroku platform had data downloaded by an attacker from private code repositories. The attacker proceeded to list out the repositories from targeted user accounts before cloning some of these private customer repositories.
The full scope of the attack could potentially grow. According to Github:
“Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure.”
It’s unclear exactly how Heroku users like Copado have been affected by this breach. In fact, it will take months for users to fully understand the damage and exact nature of their particular exposure. Most of Copado’s infrastructure is hosted on Heroku. And because of the way Copado is positioned as an integration hub for their customers’ Salesforce instance, version control, and application lifecycle, the Heroku breach breach turns their service into a choke point.
The attacker gains access to all of the customers’ disparate systems once they breach the Copado API.
How This Could Be Avoided
The Heroku breach is a prime example of why InfoSec teams need to be extremely careful about where their Salesforce release tools are hosted and how they are guarded. Hosting an application on-prem eliminates the possibility of this type of breach altogether.
