Facial recognition is making a comeback in the United States as bans to thwart the technology and curb racial bias in policing come under threat amid a surge in crime and increased lobbying from developers. From a report: Virginia in July will eliminate its prohibition on local police use of facial recognition a year after approving it, and California and the city of New Orleans as soon as this month could be next to hit the undo button. Homicide reports in New Orleans rose 67% over the last two years compared with the pair before, and police say they need every possible tool. "Technology is needed to solve these crimes and to hold individuals accountable," police Superintendent Shaun Ferguson told reporters as he called on the city council to repeal a ban that went into effect last year.

The Senate has voted to confirm privacy expert Alvaro Bedoya to the Federal Trade Commission. The confirmation secures a Democratic voting majority at the agency tasked by the Biden administration with investigating big tech companies like Facebook and Google over potential data privacy and competition violations. The Verge adds: Vice President Kamala Harris voted to break a 50-50 tie on the Senate floor to finalize Bedoya's confirmation. Bedoya will replace former Commissioner Rohit Chopra who left the FTC last year to head the Consumer Financial Protection Bureau. Before his confirmation, Bedoya was a Georgetown law professor with a focus on privacy law, founding the university's Center on Privacy and Technology in 2014. In his academic career, Bedoya explored the disproportionate effects of surveillance on minority groups, particularly regarding facial recognition technology.

The European Commission has proposed controversial new regulation that would require chat apps like WhatsApp and Facebook Messenger to selectively scan users' private messages for child sexual abuse material (CSAM) and "grooming" behavior. The proposal is similar to plans mooted by Apple last year but, say critics, much more invasive. From a report: After a draft of the regulation leaked earlier this week, privacy experts condemned it in the strongest terms. "This document is the most terrifying thing I've ever seen," tweeted cryptography professor Matthew Green. "It describes the most sophisticated mass surveillance machinery ever deployed outside of China and the USSR. Not an exaggeration." Jan Penfrat of digital advocacy group European Digital Rights (EDRi) echoed the concern, saying, "This looks like a shameful general #surveillance law entirely unfitting for any free democracy." (A comparison of the PDFs shows differences between the leaked draft and final proposal are cosmetic only.) The regulation would establish a number of new obligations for "online service providers" -- a broad category that includes app stores, hosting companies, and any provider of "interpersonal communications service."

Sen. Sheldon Whitehouse (D-R.I.) and Rep. Anna Eshoo (D-Calif.) on Tuesday introduced a bill to regulate the volume of commercials shown on streaming platforms. The Hill reports: The bill is known as the Commercial Advertisement Loudness Mitigation (CALM) Modernization Act. It would modernize policies regarding ads on streaming services, saying that "the volume of commercials on streaming services cannot be louder than regular programming," according to Eshoo. It would also ramp up the Federal Communications Commission's ability to investigate and enforce violations of the original CALM Act and require a study into its effectiveness.

Eshoo added that since she and Whitehouse created the original CALM Act, streaming service providers have "recreated the problem of loud ads because the old law doesn't apply to them." "Today, we're updating the legislation for the benefit of consumers who are tired of diving for the mute button at every commercial break," Eshoo added.

Although it's supposed to be restricted by surveillance rules at local, state and federal levels, Immigration and Customs Enforcement (ICE) has built up a mass surveillance system that includes details on almost all US residents, according to a report from a major think tank. Engadget reports: Researchers from Georgetown Law's Center on Privacy and Technology said ICE "now operates as a domestic surveillance agency" and that it was able to bypass regulations in part by purchasing databases from private companies. "Since its founding in 2003, ICE has not only been building its own capacity to use surveillance to carry out deportations but has also played a key role in the federal government's larger push to amass as much information as possible about all of our lives," the report's authors state. "By reaching into the digital records of state and local governments and buying databases with billions of data points from private companies, ICE has created a surveillance infrastructure that enables it to pull detailed dossiers on nearly anyone, seemingly at any time."

The researchers spent two years looking into ICE to put together the extensive report, which is called "American Dragnet: Data-Driven Deportation in the 21st Century." They obtained information by filing hundreds of freedom of information requests and scouring more than 100,000 contracts and procurement records. The agency is said to be using data from the Department of Motor Vehicles and utility companies, along with the likes of call records, child welfare records, phone location data, healthcare records and social media posts. ICE is now said to hold driver's license data for 74 percent of adults and can track the movement of cars in cities that are home to 70 percent of the adult population in the US.

The study shows that ICE, which falls under the Department of Homeland Security, has already used facial recognition technology to search through driver's license photos of a third of adults in the US. In 2020, the agency signed a deal with Clearview AI to use that company's controversial technology. In addition, the report states that when 74 percent of adults hook up gas, electricity, phone or internet utilities in a new residence, ICE was able to automatically find out their updated address. The authors wrote that ICE is able to carry out these actions in secret and without warrants. Along with the data it acquired from other government departments, utilities, private companies and third-party data brokers, "the power of algorithmic tools for sorting, matching, searching and analysis has dramatically expanded the scope and regularity of ICE surveillance," the report states. The agency spent around $2.8 billion on "new surveillance, data collection and data-sharing initiatives," according to the report. Approximately $569 million was spent on data analsys, including $186.6 million in contracts with Plantir Technologies.

"ICE also spent more than $1.3 billion on geolocation tech during that timeframe and $389 million on telecom interception, which includes tech that helps the agency track someone's phone calls, emails, social media activity and real-time internet use," adds Engadget.

A coalition of tech giants, including Google, Microsoft and Yahoo, have pledged support for a New York bill that would ban the use of controversial search warrants that can identify people based on their location data and internet search keywords. From a report: In a brief statement, the coalition known as Reform Government Surveillance said it "supports the adoption of New York Assembly Bill A84A, the Reverse Location Search Prohibition Act, which would prohibit the use of reverse location and reverse keyword searches." The bill, if passed, would become the first state law to ban so-called geofence warrants and keyword search warrants, which rely on demanding tech companies turn over data about users who were near the scene of a crime or searched for particular keywords at a specific point in time. But the bill hasn't moved since it was referred to a committee for discussion in January, the first major hurdle before it can be considered for a floor vote.

Thieves are targeting digital currency investors on the street in a wave of "crypto muggings," police have warned, with victims reporting that thousands of pounds have been stolen after their mobile phones were seized. From a report: Anonymised crime reports provided to the Guardian by City of London police, as part of a freedom of information request, reveal criminals are combining physical muscle with digital knowhow to part people from their cryptocurrency. One victim reported they had been trying to order an Uber near Londonâ(TM)s Liverpool Street station when muggers forced them to hand over their phone. While the gang eventually gave the phone back, the victim later realised that $6,150-worth of ethereum digital currency was missing from their account with the crypto investing platform Coinbase.

In another case, a man was approached by a group of people offering to sell him cocaine and agreed to go down an alley with them to do the deal. The men offered to type a number into his phone but instead accessed his cryptocurrency account, holding him against a wall and forcing him to unlock a smartphone app with facial verification. They transferred $7,400-worth of ripple, another digital currency, out of his account. A third victim said he had been vomiting under a bridge when a mugger forced him to unlock his phone using a fingerprint, then changed his security settings and stole $35,300, including cryptocurrency.

An anonymous reader quotes a report from TorrentFreak: The U.S. Copyright Office has launched a public consultation to evaluate whether it's wise to make certain technical protection measures mandatory under the DMCA. The Office hopes to hear all relevant stakeholders and the public at large in what may become a de facto review of the recently introduced SMART Copyright Act. [...] Following repeated nudges from Senators Thom Tillis and Patrick Leahy, the Copyright Office started looking into automated tools that online services can use to ensure that pirated content can't be easily reuploaded. This "takedown and staydown' approach relies on technical protection tools, which include upload filters. This is a sensitive subject that previously generated quite a bit of pushback when the EU drafted its Copyright Directive. To gauge the various options and viewpoints, the Copyright Office launched a consultation last year, which triggered a wave of objections and opposition.

Last week, the Office followed up with yet another consultation, asking for input on shortcomings in the current DMCA legislation and what alternatives could help to improve things. As things stand, online services are allowed to implement their own upload filters, which many do. Scanning uploads for potentially copyright-infringing content isn't mandatory but that could change in the future. The consultation outline mentions several potential changes to the DMCA's Section 512, such as online services losing their safe harbor protection if they fail to implement specific "standard technical measures" (STMs). "Is the loss of the section 512 safe harbors an appropriate remedy for interfering with or failing to accommodate STMs?" the Copyright Office asks. "Are there other obligations concerning STMs that ought to be required of internet service providers?" the list of questions continues.

Stakeholders are asked to share their views on these matters. While it is uncertain whether any measures will be made mandatory, the Copyright Office is already looking ahead. For example, who gets to decide what STMs will be mandatory, and how would the rulemaking process work? "What entity or entities would be best positioned to administer such a rulemaking? What should be the frequency of such a rulemaking? What would be the benefits of such a rulemaking? What would be the drawbacks of such a rulemaking?"

The new free trade agreement between Australia and the UK includes a site blocking paragraph. The text requires the countries to provide injunctive relief to require ISPs to prevent subscribers from accessing pirate sites. While this doesn't change much for the two countries, rightsholders are already eying similar requirements for trade deals with other nations. TorrentFreak reports: The inclusion of a blocking paragraph in the copyright chapter of the trade deal was high on the agenda of various copyright holder groups. Following a series of hearings and consultations, both countries settled on the following text:

1. Each Party shall provide that its civil judicial authorities have the authority to grant an injunction against an ISP within its territory, ordering the ISP to take action to block access to a specific online location, in cases where:
(a) that online location is located outside the territory of that Party; and
(b) the services of the ISP are used by a third party to infringe copyright or related rights in the territory of that Party.

2. For greater certainty, nothing in this Article precludes a Party from providing that its judicial authorities may grant an injunction to take action to block access to online locations used to infringe intellectual property rights in circumstances other than those specified in paragraph 1.

This hasn't gone unnoticed by the Alliance for Intellectual Property, which represents rightsholder organizations such as the MPA, BPI, and the Premier League. The group repeatedly urged the UK Government to include site-blocking powers in the agreement. In a recent submission to the UK Government, the Alliance once again stresses the importance of site blocking, while also hinting at broadening the current anti-piracy toolbox. "It has become a hugely valuable tool in the armory of rights holders looking to protect their IP. It is vital that the UK Government ensures the preservation of the no-fault injunctive relief regime," the Alliance writes. "We would also encourage the opening of dialogue, wherever possible, to share experience around UK practices and to encourage faster, more efficient website blocking procedures, whether through civil, criminal, administrative or voluntary means."

The site-blocking language is already included in the latest trade deal draft but the Alliance is also looking ahead at future agreements with other countries. In this context, the blocking paragraph will send a clear message. "We would therefore urge the UK Government to include reference to the site blocking legislation in the FTA with Australia as it will send an important message to future countries that we might chose [sic] to negotiate trade agreements with." The Alliance for Intellectual Property doesn't mention any other countries by name. However, it specifically references a report from the U.S. Copyright Office where site blocking was mentioned as a potential future anti-piracy option. In the same report, the Copyright Office also stressed that further research would be required on the effect and impact of a U.S. site-blocking scheme, but the idea wasn't dismissed outright.

Facebook on Thursday began informing users that Nearby Friends and other location-based features will soon be discontinued at the end of the month. While the reasons are currently unclear, the company claims that all information related to these features will be deleted from Facebook's servers. 9to5Mac reports: Users have been getting a notification in the Facebook app for iOS and Android about the end of Nearby Friends, a feature that lets people share their current location with other Facebook friends. At the same time, Facebook also says that Time Alerts, Location History, and Background Location are also "going away soon." According to the company, Nearby Friends and other location-based features will no longer be available to users after May 31, 2022.

Some of the data, such as the user's location history (which automatically uses your location to create a map of places you have visited, will be available for download by August 1, 2022. After that, Facebook says that this data will be deleted. Unfortunately, this doesn't mean that Facebook's app will stop collecting users' location. The company states that location data will still be collected "for other experiences." Of course, you can always disable the Facebook app's access to your location by going into the iOS Privacy settings.

An anonymous reader quotes a report from Engadget: Notorious facial recognition company Clearview AI has agreed to permanently halt sales of its massive biometric database to all private companies and individuals in the United States as part of a legal settlement with the American Civil Liberties Union, per court records. Monday's announcement marks the close of a two-year legal dispute brought by the ACLU and privacy advocate groups in May of 2020 against the company over allegations that it had violated BIPA, the 2008 Illinois Biometric Information Privacy Act. This act requires companies to obtain permission before harvesting a person's biometric information -- fingerprints, gait metrics, iris scans and faceprints for example -- and empowers users to sue the companies who do not.

In addition to the nationwide private party sales ban, Clearview will not offer any of its services to Illinois local and state law enforcement agencies (as well as all private parties) for the next five years. "This means that within Illinois, Clearview cannot take advantage of BIPA's exception for government contractors during that time," the ACLU points out, though Federal agencies, state and local law enforcement departments outside of Illinois will be unaffected. That's not all. Clearview must also end its free trial program for police officers, erect and maintain an opt-out page for Illinois residents, and spend $50,000 advertising it online. The settlement must still be approved by a federal judge before it takes effect. "Fourteen years ago, the ACLU of Illinois led the effort to enact BIPA -- a groundbreaking statute to deal with the growing use of sensitive biometric information without any notice and without meaningful consent," Rebecca Glenberg, staff attorney for the ACLU of Illinois, said in a statement. "BIPA was intended to curb exactly the kind of broad-based surveillance that Clearview's app enables. Today's agreement begins to ensure that Clearview complies with the law. This should be a strong signal to other state legislatures to adopt similar statutes."

Match Group accused Alphabet's Google in a lawsuit of acting as a monopolist with its app store billing rules, the latest escalation in a brawl over the mobile-app industry. From a report: Match Group, which operates dating apps such as Tinder and OkCupid, alleged that Google breaks federal and state laws and abuses its power with a requirement that app developers use its billing system on Android devices. "Ten years ago, Match Group was Google's partner. We are now its hostage," Match Group said in a complaint filed Monday in northern California federal court.

"Blinded by the possibility of getting an ever-greater cut of the billions of dollars users spend each year on Android apps, Google set out to monopolize the market for how users pay for their Android apps." Google, like Apple, has faced enormous recent legal and political scrutiny over the commission fees and billing restrictions both companies apply to paid services in their app stores. Congress is currently weighing a bill to force Google and Apple to change their business models.

Congress may soon require government agencies to vet tech startups seeking federal funding, after a Defense Department study found China is exploiting a popular program that funds innovation among small American companies. From a report: The study, which was viewed by The Wall Street Journal, found China is using state-sponsored methods to target companies that have received Pentagon funding from the Small Business Innovation Research program. The SBIR program for decades has sought to promote innovation through a competitive U.S. government award process.

The April 2021 report, which has been circulating among lawmakers on Capitol Hill, details eight case studies it says have "national and economic security implications." The studies include examples of program participants who dissolve their American companies, join Chinese government talent programs and continue their work at institutions that support the People's Liberation Army, the armed wing of the Communist Party. The report also documents instances of SBIR recipients taking venture-capital money from Chinese state-owned firms and of working with Chinese entities that support the country's defense industry. The report concludes that the SBIR program needs a due-diligence process to identify entities of potential concern that would then receive a more detailed review.

American's Justice Department announced Friday that the CEO of Mining Capital Coin, "a purported cryptocurrency mining and investment platform," has been indicted "for allegedly orchestrating a $62 million global investment fraud scheme."

CNN reports: According to a US Securities and Exchange Commission complaint filed last month, Capuci sold mining packages to more than 65,000 investors since at least January 2018. The group promised daily returns of 1% for up to a year, the SEC press release says. [Capuci apparently said that revenue stabilized the company's cryptocurrency, Capital Coin, according to the DOJ's sttement.] But instead, the DOJ alleges, Capuci diverted the funds to his own cryptocurrency wallets. MCC netted at least $8.1 million from the sale of the mining packages and $3.2 million in initiation fees, which funded a lavish lifestyle, including Lamborghinis, a yacht and real estate, according to the SEC complaint....

The release alleges another fraudulent MCC investment avenue, "Trading Bots," which Capuci claimed operated at "very high frequency, being able to do thousands of trades per second." Capuci claimed the Trading Bots would provide daily returns, according to the DOJ release. ["But instead was diverting the funds to himself and co-conspirators."] Capuci also allegedly ran a pyramid scheme, according to the DOJ, recruiting promoters to sell the mining packages and promising them gifts ranging from Apple watches to Capuci's personal Ferrari, the press release says. ["Capuci further concealed the location and control of the fraud proceeds obtained from investors by laundering the funds internationally through various foreign-based cryptocurrency exchanges."]

The DOJ charged Capuci with conspiracy to commit wire fraud, conspiracy to commit securities fraud, and conspiracy to commit international money laundering. He could face up to 45 years in prison if convicted of all counts.
One U.S. attorney warned in the statement, "As with any emerging market, those who invest in cryptocurrency must beware of profit-making opportunities that appear too good to be true."

The statement also argues that cryptocurrency-based fraud "undermines financial markets worldwide, as bad actors defraud investors, and limits the ability of legitimate entrepreneurs to innovate within this emerging space."

Thanks to Slashdot reader quonset for sharing the story!

This week the Washington Post described Russia as "struggling under an unprecedented hacking wave" — with one survey finding Russia is now the world's leader for leaked sensitive data (such as passwords and email addresses). "Federation government: your lack of honor and blatant war crimes have earned you a special prize..." read a message left behind on one of the breached networks...

Documents were stolen from Russia's media regulator and 20 years of email from one of Russia's government-owned TV/radio broadcasting companies. Ukraine's government is even suggesting targets through its "IT Army" channel on telegram, and has apparently distributed the names of hundreds of Russia's own FSB security agents. And meanwhile, the Post adds, "Ordinary criminals with no ideological stake in the conflict have also gotten in on the act, taking advantage of preoccupied security teams to grab money as the aura of invincibility falls, researchers said." Soon after the invasion, one of the most ferocious ransomware gangs, Conti, declared that it would rally to protect Russian interests in cyberspace. The pledge backfired in a spectacular fashion, since like many Russian-speaking crime groups it had affiliates in Ukraine. One of them then posted more than 100,000 internal gang chats, and later the source code for its core program, making it easier for security software to detect and block attacks.

Network Battalion 65 [a small hacktivist group formed as the war began looking inevitable] went further. It modified the leaked version of the Conti code to evade the new detections, improved the encryption and then used it to lock up files inside government-connected Russian companies. "We decided it would be best to give Russia a taste of its own medicine. Conti caused (and still causes) a lot of heartache and pain for companies all around the world," the group said. "As soon as Russia ends this stupidity in Ukraine, we will stop our attacks completely."

In the meantime, Network Battalion 65 has asked for ransomware payments even as it has shamed victims on Twitter for having poor security. The group said it hasn't gotten any money yet but would donate anything it collects to Ukraine.
Ars Technica quotes a cybersecurity researcher who now says "there are tens of terabytes of data that's just falling out of the sky."

Thanks to long-time Slashdot reader SpzToid for sharing the article!

An anonymous Slashdot reader writes: Remember that patent lawsuit filed against GNOME's Shotwell in 2019? An enterprising open source lawyer has challenged it within the patent office and gotten the whole thing canceled!
OpenSource.org argues that decision by the U.S. patent office "may well give patent trolls cause to steer clear of open source projects — even more than the fierce resistance the community impressively funded and mounted in the GNOME case." Of the many methods developed over the past 20 years to eliminate patent threats against FOSS, none is as powerful as challenging the nefarious patents directly. That's what McCoy Smith, founder of OSI sponsor LexPan Law, did.... Smith pointed out in a re-examination request to the U.S. Patent & Trademark Office that the patent was not for any new invention.

They agreed. As a result, all of these "claims" in the Rothschild '086 Patent — the part of a patent describing what the patent rights cover — have consequently been canceled. The Rothschild '086 patent can no longer be used against any victim, including open source projects.

Of course, that's little comfort to the 20+ victims attacked after GNOME with the now-proven-worthless Rothschild '086 patent, or the 50+ companies targeted with related patents that haven't yet been re-examined.... Still, it's good to know there are open source champions of all sizes defending the development of open software.

America's law schools "would be given a green light to end admission test requirements," reports the Washington Post, "under a recommendation from a key committee of the American Bar Association that is scheduled for review in a public meeting this month." The proposal still faces layers of scrutiny within the ABA and would not take effect until next year at the earliest. If approved, it could challenge the long-dominant role of the Law School Admission Test, or LSAT, in the pathway to legal education.
Some context from The Week US: Like the SAT in undergraduate admissions, the LSAT has been accused of racial bias and promoting a destructive obsession with rankings. Critics also argue that the LSAT, which was designed to predict academic performance, has little connection to professional accomplishment....

The incentives for law schools to dump the LSAT aren't only political, though.... [L]aw schools face declining applications after a pandemic-driven spike in interest. That's partly because word is getting out that the legal profession isn't as glamorous or lucrative as people imagine or the media depict. Accepting alternate exams, such as the GRE, or going test-optional altogether can help pump up enrollment, particularly at marginal institutions.
The article points out that admitted law students will still eventually have to pass the official certifying "bar exam" before they're ever allowed to actually practice law.

After Russia invaded Ukraine in late February, "VPNs have been downloaded in Russia by the hundreds of thousands a day," reports the Washington Post, "a massive surge in demand that represents a direct challenge to President Vladimir Putin and his attempt to seal Russians off from the wider world.

"By protecting the locations and identities of users, VPNs are now granting millions of Russians access to blocked material...." Daily downloads in Russia of the 10 most popular VPNs jumped from below 15,000 just before the war to as many as 475,000 in March. As of this week, downloads were continuing at a rate of nearly 300,000 a day, according to data compiled for The Washington Post by the analytics firm Apptopia, which relies on information from apps, public data and an algorithm to come up with estimates. Russian clients typically download multiple VPNs, but the data suggests millions of new users per month. In early April, Russian telecom operator Yota reported that the number of VPN users was over 50 times as high as in January, according to the Tass state news service.

The Internet Protection Society, a digital rights group associated with jailed Russian opposition leader Alexei Navalny, launched its own VPN service last month and reached its limit of 300,000 users within 10 days, according to executive director Mikhail Klimarev. Based on internal surveys, he estimates that the number of VPN users in Russia has risen to roughly 30 percent of the 100 million Internet users in Russia. To combat Putin, "Ukraine needs Javelin and Russians need Internet," Klimarev said....

In the days before the war, and in the weeks since then, Russian authorities have also ratcheted up pressure on Google, asking the search engine to remove thousands of Internet sites associated with VPNs, according to the Lumen database, an archive of legal complaints related to Internet content. Google, which did not respond to a request for comment, still includes banned sites in search results.... Although downloading a VPN is technically easy, usually requiring only a few clicks, purchasing a paid VPN has become complicated in Russia, as Western sanctions have rendered Russian credit and debit cards nearly useless outside the country. That has forced many to resort to free VPNs, which can have spotty service and can sell information about users.

Vytautas Kaziukonis, chief executive of Surfshark — a Lithuania-based VPN that saw a 20-fold increase in Russian users in March — said some of those customers are now paying in cryptocurrencies or through people they know in third countries.
One 52-year-old told the Post that downloading a VPN "brought back memories of the 1980s in the Soviet Union, when he used a shortwave radio to hear forbidden news of dissident arrests on Radio Liberty, which is funded by the United States."

"We didn't know what was going on around us. That's true again now."

The BBC reports: Large tech companies such as Google and Facebook will have to abide by new competition rules in the UK or risk facing huge fines, the government said. The new Digital Markets Unit (DMU) will be given powers to clamp down on "predatory practices" of some firms.

The regulator will also have the power to fine companies up to 10% of their global turnover if they fail to comply.... The Department for Digital, Culture, Media and Sport (DCMS) said as well as large fines, tech firms could be handed additional penalties of 5% of daily global turnover for each day an offence continues. For companies like Apple that could be tens of billions of US dollars. "Senior managers will face civil penalties if their firms fail to engage properly with requests for information," the government said. However, it is unclear when exactly the changes will come into force, as the government has said the necessary legislation will be introduced "in due course...."

Google's search engine, which is currently the default search engine on Apple products, will also be looked at by the regulator, the government said.

It added it wants news publishers to be paid fairly for their content — and will give the regulator power to resolve conflicts.
The BBC reports the new rules also "aim to give users more control over their data," and that the new regulator "will also make it easier for people to switch between phone operating systems such as Apple iOS or Android and social media accounts, without losing data and messages."

Heroku has now revealed that the stolen GitHub integration OAuth tokens from last month further led to the compromise of an internal customer database. BleepingComputer reports: The Salesforce-owned cloud platform acknowledged the same compromised token was used by attackers to exfiltrate customers' hashed and salted passwords from "a database." Like many users, we unexpectedly received a password reset email from Heroku, even though BleepingComputer does not have any OAuth integrations that use Heroku apps or GitHub. This indicated that these password resets were related to another matter. [...]

In its quest to be more transparent with the community, Heroku has shed some light on the incident, starting a few hours ago. "We value transparency and understand our customers are seeking a deeper understanding of the impact of this incident and our response to date," says Heroku. The cloud platform further stated that after working with GitHub, threat intel vendors, industry partners and law enforcement during the investigation it had reached a point where more information could be shared without compromising the ongoing investigation:

"On April 7, 2022, a threat actor obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. Access to the environment was gained by leveraging a compromised token for a Heroku machine account. According to GitHub, the threat actor began enumerating metadata about customer repositories with the downloaded OAuth tokens on April 8, 2022. On April 9, 2022, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code. GitHub identified the activity on April 12, 2022, and notified Salesforce on April 13, 2022, at which time we began our investigation. As a result, on April 16, 2022, we revoked all GitHub integration OAuth tokens, preventing customers from deploying apps from GitHub through the Heroku Dashboard or via automation. We remain committed to ensuring the integration is secure before we re-enable this functionality." Heroku users are advised to continue monitoring the security notification page for updates related to the incident.