GitHub and Heroku were the subject of a data breach by a hacker who stole open authorization (OAuth) tokens in an upstream breach. 

GitHub, which is owned by Microsoft, allows users to build, ship, maintain, and store software. The company hosts over 73 million developers and 4 million organizations, including 84 percent of Fortune 100 companies. 

Heroku is a cloud platform as a service company that is owned by SalesForce. It enables developers to build and run applications entirely in the cloud.

Travis CI is a hosted continuous integration service used to build and test software projects hosted on GitHub.

In April 2022, an unknown hacker stole OAuth tokens from software providers Heroku and Travis-CI. OAuth tokens allow a website to access a user’s information on another website without granting full access. The hacker used these tokens to attack GitHub and download data from scores of private organizations’ repositories, including that of software registry npm. GitHub posited that the hacker may be extracting secrets from that data for use in other infrastructure. 

GitHub spotted the breach and notified Heroku and Travis-CI, who were unaware they had been attacked. GitHub revoked the tokens associated with GitHub and npm, analyzed the attacker’s behavior, and released a list of the activities the attacker engaged in on their site. GitHub also notified its customers who were affected by the breach. 

Heroku does not know the full extent of the breach, and is asking customers to perform work to understand whether or not the customer has been breached. On April 26, Heroku stated they will not be reconnecting Github until they can do it safely.