05/19/2022 - Security Incident Notification - Salesforce Heroku OAuth Token Compromise
We are providing this notification to inform our customers and partners on the state of an ongoing security incident impacting our application hosting platform - Salesforce Heroku.
At this time we have no evidence to suggest that our customer’s data has been compromised.
In the interest of transparency we wanted to provide an update on the impact to Groupize and the steps we have taken, and are continuing to take, to maintain our standard of data security and confidentiality.
Overview of the Incident Thus Far
Groupize utilizes the Heroku service provided by Salesforce.com as application / server hosting for our software as a service products. As such, Salesforce Heroku is recorded as a subprocessor for all transactions with Groupize and included in our annual audit processes for PCI and ISO 27001.
On April 15th, Salesforce Heroku informed us, via email and their public status page at https://status.heroku.com, that they were investigating a potential breach related to the credentials Groupize uses to provide Heroku with access to our source code. We immediately initiated our Incident Response Plan and began evaluating the potential severity and scope of the breach. It was quickly determined that, based on information provided by Salesforce Heroku, there was no impact to our customers' privacy or data security and that the impact to Groupize was limited. Subsequent communications from Github (Working with the Salesforce incident response team) indicated that the breach had not compromised Groupize at all and our internal incident response was closed with no impact identified.
At the time, Salesforce Heroku’s response remained open, and several features of the service were temporarily unavailable as they worked to ensure that the breach would not be reproduced using the same vulnerability. Our team stayed in communication throughout and were regularly informed that Salesforce had no change in their position on the severity or impact to Groupize.
On May 18th Salesforce updated their guidance, based on their ongoing investigation, to indicate that some Groupize confidential information may have been exposed and recommended we take action to ensure ongoing data security. At this time we re-opened our incident response and elevated the severity to “High” - indicating a need for additional investigation and immediate action to prevent further impact.
Actions Taken So Far
Our response team reviewed our logging and system access and have found no evidence of any authorized access to Groupize systems from the date of the original vulnerability through today. At this time, we do not believe any customer data was compromised and further conversations from Heroku indicate that they have found no evidence of exposure to our systems.
Out of an abundance of caution we performed emergency maintenance yesterday evening (May 18th) to rotate any sensitive secrets, api keys or other private information that was, theoretically, available as a result of the original breach. Again - we have no evidence to suggest that any attacker accessed these secrets but invoked our contingency plan for this specific scenario regardless. None of these keys or secrets are used to secure customer passwords, single sign-on credentials or certificates and there is no suggestion that customer-action is needed as a result. The secrets in question were used for Groupize to communicate to external third party systems.
Ongoing Actions
As of today (May 19th) we are keeping our incident response open and monitoring communications from Heroku. We are also working directly with partners to coordinate on this response plan. Additionally we are re-evaluating our overall application hosting infrastructure to identify any additional safeguard we can take to prevent an impact to our operations as a result of a vendor breach in the future.
Conclusion
We take the security of our customer’s data very seriously. We have pursued and obtained both PCI and ISO 27001 certifications and have made our audit teams aware of this incident for inclusion in future audit considerations.
At this time we have no reason to believe our customers, partners or stakeholders need take any action as a result of this breach. Should additional information change this response - either from our own internal investigation or information provided by Salesforce Heroku - we will notify affected parties as soon as possible.
Should you have any questions about this incident or Groupize security in general you can contact me directly at jschramm@groupize.com or reach our security team broadly at security@groupize.com
Josh Schramm
VP of Engineering