Cyber Incident Victim: Heroku
Date:
Apr 2022
Location:
United States of America
Summary
A security incident involving stolen OAuth tokens from Heroku and Travis-CI integrations enabled threat actors to access and download data from private GitHub repositories, including those of npm and other organizations. The company initiated forced password resets for affected users, invalidating API tokens and disrupting automated services, but provided minimal details on the breach's scope or rationale beyond referencing the initial compromise. Customers expressed frustration over the lack of transparency, suspecting undisclosed malicious activity, while support teams directed inquiries to vague status updates without further clarification.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April 2022, Heroku, a Salesforce-owned cloud platform, experienced a security incident involving compromised OAuth tokens that enabled unauthorized access to private GitHub repositories. GitHub Security initiated an investigation on April 12 after detecting threat actors abusing stolen OAuth tokens issued to Heroku and Travis-CI, third-party integrators used to deploy applications. The attackers leveraged these tokens to download data from dozens of organizations, including npm, targeting repositories belonging to accounts that had authorized the compromised Heroku or Travis CI OAuth applications. Heroku initially disclosed the breach as limited to GitHub repository access via compromised OAuth integrations but provided minimal details about the scope or attacker methodology. This lack of transparency generated immediate customer concerns about potential undisclosed risks.
On May 4, 2022, Heroku escalated its response by forcibly resetting passwords for a subset of user accounts, citing the April incident as justification while offering no specific explanation for the action. The password resets invalidated all associated API tokens, disrupting automated workflows and applications reliant on Heroku’s API until new tokens were generated. Customers received emails framing the reset as a security enhancement measure, but Heroku’s status updates and support channels failed to clarify whether new evidence of malicious activity had emerged. The forced resets extended to accounts without GitHub or OAuth integrations, including BleepingComputer reporters, suggesting broader credential exposure than initially acknowledged. Heroku’s engineering team confirmed they were working on a resolution but declined to provide additional details to affected users or journalists, directing inquiries to generic status posts that omitted critical context. Customer frustration mounted on forums like Hacker News, with users criticizing the opaque communication and unresolved questions about the incident’s full impact.