It’s something every developer hates to hear: the B word… Breach. 

Especially when it is on a platform they are using day in and day out.

Unfortunately, that’s the reality that many GitHub users woke up to recently. Earlier this year GitHub revealed details about a security breach that allowed an unknown attacker to download data from dozens of private code repositories with two third-party cloud platforms as a service (PaaS) – Heroku and Travis CI – being the targets.

“Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents …. for secrets that could be used to pivot [attacks] into other infrastructure,” GitHub warned in a blog post.

With the amount of time between identification of the breach, understanding the extent of impacted repos/customers, notification and remediation, attackers may have been able to rapidly expand their reach and carry out a lateral attack.

Let’s explore the details of what happened, and what steps companies can take to protect themselves from similar scenarios.

What happened?

GitHub identified OAuth tokens for GitHub integrations that were stolen and issued to two of its third-party vendors, Heroku and Travis CI. Using these stolen tokens, the attackers executed a targeted attack where dozens of private data repos were downloaded.

GitHub users on the Heroku platform had data downloaded by an attacker from private code repositories. The attacker proceeded to list out the repositories from targeted user accounts before cloning some of these private repositories.

What does this mean for Heroku/Travis CI users?

It’s uncertain the full extent that Heroku users, like Copado which uses Herokuto to host their infrastructure, have been affected by this breach as the full scope of the attack could potentially grow.

Heroku is used as a hosted integration hub for version control, application lifecycle management and API’s that, due to the breach, allow further lateral movement for the threat actor to take advantage.   

“Since user authentication information was exfiltrated from Heroku,” every Copado user “must completely re-generate account passwords and associated environment variables“ to avoid the double tap cybersecurity attack.

Where does the most sensitive information reside in your organization?   

Ask a  CEO or CFO, “Where does the organization's most sensitive information reside, that if exposed could cripple the organization?” The answer most likely will be Salesforce.


With Salesforce being the center of most organizations, Salesforce DevOps solutions are needed to keep pace with the speed with the business, but should it be at a cost of the organizations cybersecurity posture by relying on third-party integrations? Quite simply, no. There are options available that enable high-quality DevOps while keeping security top of mind.

Flosum is built for Salesforce, on Salesforce. 

Fully integrated with Git but also featuring its own native version control and built specifically for Salesforce development, Flosum is the only solution architecture that does not require that organizations open their IP ranges or provide access to their production systems, featuring a Zero-Trust Security Model

With this improved cybersecurity posture, developers, infosec teams and the CEO will be at ease knowing that the organization's most sensitive data is being kept secure.

If you are interested in discussing further with one of Flosum’s DevSecOps experts about the state of your security posture or Salesforce Devops solutions, book a meeting here

Are you stuck with your Copado contract? We may be able to help! 

signup for our blog


“Flosum is the best native release management tool that you will fall in love with. I have gained confidence in my role and has given me the ability to view release management from a whole different perspective.”

Faizan Ali

Faizan Ali
Salesforce Consultant at Turnitin