Heroku Forcing Password Resets as GitHub Investigation Continues

Team Avatar - Errol Schmidt
Errol Schmidt
May 5, 2022

If you are a user of Salesforce’s platform-as-a-service Heroku you will have received an email this week letting you know that you will shortly be asked to reset your password (or you can do it now in advance).

There are doubtless some questions regarding the implications of this, and what brought about such a drastic move.

Firstly, the implications.

The email mentions that resetting the password will invalidate past API tokens. This means that third party services that you have integrated to your Heroku hosted application will stop working with your application, and the link will be broken. You will need to renew those tokens once the password has been updated.

Once the password has been changed and you have updated the tokens, you should thoroughly test to ensure your application is working as expected, and the integrations are not broken. This is very important.

If you have a dev-ops service (such as reinteractive OpsCare) who help you to manage your Heroku instance, they will be able to assist you with much of this.

Why did this come about?

In mid April it appears (and is still being investigated) that an unknown person was able to access OAuth tokens from a Heroku repository on Github. Those tokens potentially provided access to Git repositories for Heroku connected accounts.

In reality only a very small number of accounts were affected, but the potential was probably larger. The Heroku customers were notified where they might have been affected.

The stolen tokens were revoked by the Heroku team quickly, limiting the issue.

Of course the question remains, how did this occur, and more importantly, will it occur again in the future.

There does not seem to be any valid information available as to why it occurred beyond the obvious facts. As to this occurring again - I would not expect the same thing to happen again - safeguards are already in place - but it does point to an inconvenient truth; as much work as we all do to harden and strengthen our systems, platforms and applications, there will be a malicious someone working just as hard to find a loophole, way through or weak point to take advantage of. Our job, whether the service owner, manager or user is to do everything that we can to mitigate these risks.

Some recommendations;

  1. Ensure your software and operating systems is on the latest recommended version and patched with any relevant security updates
  2. Follow best practice on setting passwords and security tokens
  3. Don’t leave those passwords or tokens in plain text where they can be found (such as in a code base - even if this is secured in GitHub)
  4. 2 Factor Auth is mandatory for any of your applications
  5. Follow any advice on security matters after verifying it for yourself where it comes from your It team DevOps team or the software provider.

As a final word, take the obvious and clear steps to mitigate risk, but also, don’t panic. Continue to build your application, increase your client base and be as successful as you like!

If you have any further concerns or questions, you can reach out to us and we will point you in the right direction or answer your questions:

Twitter: @reinteractive