Security News > 2022 > May > Heroku forces user password resets but fails to explain why
Salesforce-owned Heroku is performing a forced password reset on a subset of user accounts in response to last month's security incident while providing no information as to why they are doing so other than vaguely mentioning it is to further secure accounts.
Last night, some Heroku users began receiving emails titled 'Heroku security notification - resetting user account passwords on May 4, 2022' stating that passwords would be forcibly reset today in response to last month's security incident.
"As part of our efforts to enhance our security and in response to an incident published on status.heroku.com, we wanted to inform you that we will begin resetting user account passwords on May 4, 2022," read the email sent to Heroku customers.
"On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm," disclosed GitHub.
With Heroku now forcing password resets, customers are rightfully concerned that their investigation may have uncovered further malicious activity by the threat actors that is not being disclosed.
BleepingComputer does not have any OAuth integrations using Heroku apps or GitHub, indicating that these passwords resets are related to something else.