[craigkerstiens]

"a Heroku database" was what was known as core-db internally for the longest time. I'm not sure if still the case or not today.

But at one point was the source of everything for Heroku.

Over time things were moved out, so this isn't an everything that exists has been leaked, but it is not a guarantee that attacker didn't move from one area to another.

As someone with some apps on Heroku, having worked there, but no knowledge of the details of the incident more than others... I would:

1. Rotate all creds

2. Ensure logging all connections to the DB (I can't recall how much you can do this on Heroku)

3. Extra heavily audit Github commits and Heroku releases

4. Maybe keep rotating all creds?

[srinathkrishna]

I feel for the team working on this at this time. I hope this doesn't end up accelerating the culling off of Heroku by Salesforce. One of the smartest and nicest bunch of folks I've worked with.

[craigkerstiens]

Completely agree, heart goes out to the team. No harsh judgement of all the engineering team there, not a fun situation and hope they know a lot of folks in their corner.

[jeromegv]

Heroku is heavily connected with Salesforce now with Heroku Connect, I doubt this is part of the plan.

[bobx11]

There was already a plan by salesforce to kill it and make it into salesforce functions. Someone else here called it project periwinkle.

[traderj0e]

That's frustrating. Heroku is one of the nicest cloud services I've ever used, and am currently using.

[ryanmcbride]

Salesforce has been holding heroku further and further out over a ledge they're definitely not planning on supporting it for much longer.

Edit: I only had one project left on heroku and I migrated it to Render a few months ago.

[Abishek_Muthian]

> but it is not a guarantee that attacker didn't move from one area to another.

The incident notification seems like the customers who are using GitHub integration are the ones who are compromised, If the attacker has gained access to other accounts then it needs to be clarified so that we could take repository level mitigations as you've mentioned; Else most will just reset account passwords and be done with it.

[mike_d]

"Access to the environment was gained by leveraging a compromised token for a Heroku machine account"

This is the equivalent of saying "the car was stolen because the car keys were laying on the kitchen table." They still don't know how they got into the house to get the car keys.

GitHub was just one branch that the attacker took to further access, another being the download of the accounts database. We don't know how many other things they did.

[martinald]

The initial update said that the Heroku internal code itself was accessed. I wonder if they grabbed that, then analysed it to find various exploits?

[smarx007]

"a compromised token for a Heroku machine account" sounds more like a master key was stolen from a car dealer.

[mike_d]

That would imply a breach of AWS itself, which I do not believe to be the case.

[xena]

You get the wrong auth credentials in the right hands and everything goes to hell and back.

[craigkerstiens]

The latest report states about "a database" which is presumably the internal database. I don't want to speculate too much, but it seems attacher had access to internal systems. GitHub were the ones that detected and noticed it and reported to Heroku. Do not disagree that there should be more clarity, but best to follow up with Salesforce on that.