Heroku resets all user accounts after passwords are stolen

Heroku resets all users’ passwords. This is related to a previous security incident where OAuth tokens were misused to attack GitHub repos. Users’ passwords were also stolen.

Heroku has started notifying users. Since this week, they have been receiving e-mails stating that their passwords will be recovered. Users must create a new password for their Heroku accounts. Heroku warns that as a result, applications running on the platform may no longer work. The password reset also means that other applications that access the Heroku api will no longer work, the platform writes in the email. Users must first create new access tokens for this. The company also recommends that users enable multi-factor authentication, but it is not required to do so.

The reset is related to a previous security incident. In April it turned out that attackers stole OAuth tokens with which they downloaded data from private repos on GitHub. This happened from npm’s GitHub repo, among other things. GitHub then reported that those tokens came from two services that offered OAuth integration. That was Heroku and Travis-CI. Heroku previously withdrew access tokens from users’ applications.

Initially, it was not clear what the exact extent of the incident was. Tokens were also revoked from users who did not have GitHub integration with Heroku. The current password reset also applies to all Heroku accounts. heroku writes now in an update that attackers gained access to Heroku’s own private repos that also contained source code. The attackers also had access to a database containing an unknown number of hashed and salted passwords. Heroku owner Salesforce then decided to reset all user credentials.