[Abishek_Muthian]

> but it is not a guarantee that attacker didn't move from one area to another.

The incident notification seems like the customers who are using GitHub integration are the ones who are compromised, If the attacker has gained access to other accounts then it needs to be clarified so that we could take repository level mitigations as you've mentioned; Else most will just reset account passwords and be done with it.

[mike_d]

"Access to the environment was gained by leveraging a compromised token for a Heroku machine account"

This is the equivalent of saying "the car was stolen because the car keys were laying on the kitchen table." They still don't know how they got into the house to get the car keys.

GitHub was just one branch that the attacker took to further access, another being the download of the accounts database. We don't know how many other things they did.

[martinald]

The initial update said that the Heroku internal code itself was accessed. I wonder if they grabbed that, then analysed it to find various exploits?

[smarx007]

"a compromised token for a Heroku machine account" sounds more like a master key was stolen from a car dealer.

[mike_d]

That would imply a breach of AWS itself, which I do not believe to be the case.

[xena]

You get the wrong auth credentials in the right hands and everything goes to hell and back.

[craigkerstiens]

The latest report states about "a database" which is presumably the internal database. I don't want to speculate too much, but it seems attacher had access to internal systems. GitHub were the ones that detected and noticed it and reported to Heroku. Do not disagree that there should be more clarity, but best to follow up with Salesforce on that.