[mike_d]

"Access to the environment was gained by leveraging a compromised token for a Heroku machine account"

This is the equivalent of saying "the car was stolen because the car keys were laying on the kitchen table." They still don't know how they got into the house to get the car keys.

GitHub was just one branch that the attacker took to further access, another being the download of the accounts database. We don't know how many other things they did.

[martinald]

The initial update said that the Heroku internal code itself was accessed. I wonder if they grabbed that, then analysed it to find various exploits?

[smarx007]

"a compromised token for a Heroku machine account" sounds more like a master key was stolen from a car dealer.

[mike_d]

That would imply a breach of AWS itself, which I do not believe to be the case.

[xena]

You get the wrong auth credentials in the right hands and everything goes to hell and back.