>On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm. Read on to learn more about the impact to GitHub, npm, and our users. >...
The one good thing is that they can revoke the OAuth tokens and immediately stop the cybercriminals' access to more data. The data that has already been exfiltrated can't be pulled back, however.
I can understand if they somehow obtained one account's OAuth token(s), but multiple? Is the vulnerability in Heroku and Travis-CI, or is it in GitHub itself?
Or were those organizations just careless about the equivalent of a randomly generated very long per-app password?
>Heroku Security Notification >9 hours ago > >Subject: Heroku Security Update: OAuth token revoked > >At 5:00 p.m. PT on April 16, 2022, Salesforce completed the revocation of all OAuth tokens from the Heroku Dashboard GitHub integration. As mentioned previously, this will prevent you from deploying your apps from GitHub through the Heroku dashboard or via Heroku automation, and some other actions in the dashboard will no longer work. While you will be unable to reconnect to GitHub via the Heroku dashboard, you may continue to use other code deployment methods available in the following documentation: