[VWWHFSfQ]

My understanding is they didn't even know about this until GitHub told them on April 13th. I'm guessing something got triggered in GitHub's system by a flurry of tokens issued to Heroku trying to enumerate private repositories. If the attacker had just played it low and slow they might never even have known at all.

Who knows how long Heroku's internal systems were compromised.

[cmeacham98]

Even if that's the case, it's still way after April 13th.

[chii]

it might be that it took this amount of time to establish the facts of the events. If they recounted an incorrect version early, it might do more damage than not telling it.

I dont know if the github disclosure "includes" heroku's disclosure : https://github.blog/2022-04-15-security-alert-stolen-oauth-u... - but it was at least april 15th - close-ish to when the event occurred.

[bigDinosaur]

Is it ever true that earlier indications that credentials should be rotated leads to worse outcomes, though, as just one example?

I'm sure I've received emails of the form: we suspect there may have been a breach, so we're forcing password resets, and have always taken that fine.

[dev_tty01]

Heroku reported it on 4/15. Read the beginning of the string of updates on the notification page posted here. Also,

https://news.ycombinator.com/item?id=31048646

[heartbreak]

And they reported that the credentials were leaked on 5/3. That took a long time.

[dev_tty01]

Which credentials are you referring to? They reported the loss of OAuth tokens on April 15. What am I missing?

https://status.heroku.com/incidents/2413

"On April 13, 2022, Salesforce Security was notified by GitHub that a subset of Heroku’s GitHub private repositories, including some source code, was downloaded by a threat actor on April 9, 2022. Based on Salesforce’s initial investigation, it appears that unauthorized access to Heroku's GitHub account was the result of a compromised OAuth token. Salesforce immediately disabled the compromised user’s OAuth tokens and disabled the compromised user’s GitHub account. Additionally, GitHub reported that the threat actor was enumerating GitHub customer accounts using OAuth tokens issued to Heroku’s OAuth integration dashboard hosted on GitHub. Based on the information GitHub shared with us, we are investigating how the threat actor gained access to customer OAuth tokens. The compromised tokens could provide the threat actor access to customer GitHub repos, but not customer Heroku accounts. With the access to customer OAuth tokens, the threat actor may have read and write access to customer GitHub repositories connected to Heroku. Given the incident is still active, please review the recommended actions provided below."

Posted 21 days ago, APR 15, 2022 23:36 UTC

[heartbreak]

You’re missing the 5/3 update about username and password credentials.

> our investigation also revealed that the same compromised token was leveraged to gain access to a database and exfiltrate the hashed and salted passwords for customers’ user accounts.

From the link we are commenting on.

[dev_tty01]

Got it. Thanks.

[latortuga]

This has been an ongoing security incident communicated through multiple channels since the day that github announced it. I've got a dozen emails or more in my inbox, the heroku dashboard includes mention of it, and the status page includes information about it.