SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers

Story image

Salesforce resets user passwords as GitHub breach investigation continues

Salesforce is increasing its security measures after a recent GitHub incident investigation reported in Heroku.

The company will begin resetting user account passwords today, and existing passwords will not work if not changed.

The alert comes as part of a series of responses to an April 13 update from GitHub, which revealed a subset of Heroku's GitHub private repositories, including some source code, were downloaded by a threat actor on April 9, 2022.

After initially recommending that customers disconnect Heroku from GitHub repositories, the Heroku incident report also cited that clients should review their organisation's audit and security logs.

"At Salesforce, we understand that the confidentiality, integrity, and availability of your data are vital to your business, and we take the protection of your data very seriously," the update quoted on April 15.

"We value transparency and wanted to notify you of an incident we're actively investigating that may lead to unauthorised access to your GitHub repositories connected to Heroku."

When further investigated, GitHub previously reported that the apparent threat actor was enumerating GitHub customer accounts by using OAuth tokens issued to Heroku's OAuth integration dashboard hosted on GitHub.

On April 16, Salesforce completed the revocation of all OAuth tokens from the Heroku Dashboard GitHub integration to bolster security.

Last week, Salesforce reminded customers that Salesforce Security does not have access to customer GitHub repository logs, so they cannot look into specific threat actor actions.

As the investigation continues, customers are being directly contacted and GitHub remains disconnected.

When sorting out new passwords, Salesforce recommends choosing strong combinations with upper and lower case letters and symbols.

The company also noted that a password reset will also invalidate customer API access tokens, and as a result, any automations they have built to integrate with the Heroku Platform API that uses these tokens may result in 403 forbidden errors.

To avoid downtime, customers will need to re-enable direct authorisations by following the given instructions on Heroku and updating their integrations to use the newly generated token.

They also recommend enabling Multi-Factor Authentication (MFA) and implementing recovery codes as a primary backup.

If customers used their previous password on any other sites, Salesforce highly recommends that they also change their password on those sites as well.

"We sincerely regret any inconvenience you may have experienced because of this issue and appreciate your trust in us as we continue to make your success our top priority," the customer email states.

Follow us on:
© 2023 Techday, All rights reserved. Hosted on Plan B's Cloud Services. DMARC protection by PowerDMARC.