The initial issue was supposedly a breach of customer repositories. Which sounds bad, but if you’re not storing credentials in code, then the worst case is that a potential hacker had access to download your code. Not great, but certainly not as catastrophic as some breaches have been.
Since then, Heroku has been acting beyond strange. Everyday they update the incident with essentially the same non-update, but written differently, with vague references to the same information they’ve sent 14 days in a row.
Now, they send another very ominous and strange update about “some” customers having their passwords reset. However, based on this thread and my own experience, it seems like every customer is getting this message.
What does this have to do with the initial issue? Were actual Heroku accounts compromised?
This behavior is either extreme incompetence wrt customer communication, or they’re preparing to announce a truly insane breach that may include everyone that has ever used Heroku.
> Since then, Heroku has been acting beyond strange. Everyday they update the incident with essentially the same non-update, but written differently, with vague references to the same information they’ve sent 14 days in a row.
There’s a simple reason for this: their incident response policy requires they not leave customers un-updated more than x hours/days. Their tooling likely reminds someone if it isn’t done.
+1. If you need another data point, the entirety of my Heroku presence is a single free plan toy app that has literally been untouched for many years at this point, and I got the password reset notification.
Just FWIW... I have an account I created in 2013 (based on a registration email.) It appears in my 1Password, imported from LastPass, so I probably logged in around/after 2016. No later than Nov 2018.
I don't have the password reset email, and logging in just asks me to add MFA, and then to accept 2020 terms.
For another data point, I got an email yesterday from "Salesforce" about a Heroku dataclip. I had recently deleted it, so maybe the email was queued up a couple days before. The email says, in part, "We recommend that you update and refresh the unique URL used with dataclips using Shareable Links as soon as possible."
The initial issue was supposedly a breach of customer repositories. Which sounds bad, but if you’re not storing credentials in code, then the worst case is that a potential hacker had access to download your code. Not great, but certainly not as catastrophic as some breaches have been.
Since then, Heroku has been acting beyond strange. Everyday they update the incident with essentially the same non-update, but written differently, with vague references to the same information they’ve sent 14 days in a row.
Now, they send another very ominous and strange update about “some” customers having their passwords reset. However, based on this thread and my own experience, it seems like every customer is getting this message.
What does this have to do with the initial issue? Were actual Heroku accounts compromised?
This behavior is either extreme incompetence wrt customer communication, or they’re preparing to announce a truly insane breach that may include everyone that has ever used Heroku.
They need to get their shit together and quickly.