The last couple large places I work specifically split out the auth/password DB from the rest of the user data. They're used for different things and they have different types of sensitivity around them.
For any individual/organization remotely competent at security (i.e. not using Passw0rd! as password and reusing elsewhere), a leak of hashed password is probably the least of concerns. Compared to this anyway:
> According to GitHub, the threat actor began enumerating metadata about customer repositories with the downloaded OAuth tokens on April 8, 2022. On April 9, 2022, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code.
former Heroku employee, though long long long ago, with no specific knowledge about this incident, but...
We did so much work in open source it was just easier to assume everything was always publicly viewable, or that what you were doing now might be open sourced in the future along with the full commit history. Whether something was private or public was more a business decision around competitive risks and not a security-led one. To that end I'm far more concerned about a database and passwords getting popped.
But who knows, a lot can change in 10 years. Maybe private repos being exposed is also very bad.
This is also why folks advocate for a separate auth system (keycloak was just mentioned here on HN) since they are different types of information.
>I feel like at some point they're just going to go completely radio silent because the extent of the breach will become such that they'll have no choice but to just lawyer up.
I feel like they are heading this route as well. Possibly even withholding information in order to save the company from mass exodus due to the incident. I'm sure they'll be fine.
> Possibly even withholding information in order to save the company from mass exodus due to the incident. I'm sure they'll be fine.
Trust takes long to build and is easy to break. For anyone able to convert the Heroku buildpack to a Docker and able to move the database, moving away from Heroku shouldn’t be too hard. There are multiple similar services nowadays.
We moved basically everything but username into an entirely different db, went so far as to hash the username column so we don’t even know what’s it is until you log in.
Is this giving you any real security benefit? (I'd assume the usernames are indexed elsewhere and that it's a reasonable assumption that whoever gains access to this hashed data has access to the username list as well, making a lookup trivial - or are these not safe assumptions?)
Not GP, but one architecture where there would be a difference is there's a distinct identity provider, responsible solely for exchanging the user's long-lived username/password credentials for a short-lived ticket.
> According to GitHub, the threat actor began enumerating metadata about customer repositories with the downloaded OAuth tokens on April 8, 2022. On April 9, 2022, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code.