[jarcoal]

I just received an email back from an Incident Handler at Salesforce. I wrote:

> A statement that confirms whether or not config variables and secrets were accessed, or that you're not sure, needs to be sent out.

To which they replied:

> We currently have no evidence that Heroku customers’ secrets stored in config Var were accessed. If we find any evidence of unauthorized access to customer secrets, we will notify affected customers without undue delay.

Take that as you will, but it doesn't fill me with confidence.

[endgame]

https://thezvi.wordpress.com/2021/12/20/law-of-no-evidence/

> Law of No Evidence: Any claim that there is “no evidence” of something is evidence of bullshit.

[jopsen]

What else can you say?

It's impossible to know if a vulnerability was exploited.

[justinjlynn]

"We don't have enough information to determine whether or not this vulnerability was exploited. We are operating under the assumption that is has been." is what I want to hear. I do not want to hear "We have no evidence that the vulnerability has been exploited." which, of course, minimises the fact that it may have been and does nothing to communicate what assumption they're working under - i.e. that they're probably going to assume it hasn't been exploited.

TL;DR: I'd rather them be entirely up front about the fact that they can't tell if it has been exploited and advise you to assume it has been than them try to weasel out of saying their logs aren't good enough but "you'll probably be alright, eh".

[danuker]

> We are operating under the assumption that is has been.

This gets expensive quick.

[corobo]

Probably the reason people try to avoid security incidents

In this case it's already happened, time to spill the bag

[justinjlynn]

"If you think safety is expensive, try an accident!" - Stelios Haji-Ioannou

[efdee]

Which really means that if you discover a vulnerability in your system, you assume that it was fully exploited.

[tinus_hn]

Reality: You can’t prove a negative.

[emilsedgh]

Why? I think it's pretty evident that there's no reason to believe there's been a security breach there as far as they understand as of now.

[macNchz]

There was certainly a breach three weeks ago that they seem to have been investigating since. I am, like the commenter above, not filled with confidence about their statement, mostly because of the total lack of transparency so far.

The fact they’re only now sending additional notifications to rotate creds hints at something bigger than they initially announced, but really we have no idea since they never gave much detail in the first place.

[wlll]

There was a security breach. They don't know what the breach was, they don't know if the attacker has access to other systems, they just don't know.

No evidence of something is not particularly useful information if you weren't even looking out for it in the first place.

[adrr]

Github tokens were accessed and used to attack things outside of heroku. Something was breached. We don't know what, when it occurred and extent of the breach and I bet heroku doesn't know either.