[steffanA]

Sorry, but this is a joke of a response.

When they started sending out password reset emails, they should have explained why.

Not only when people started complaining, and the media picked up on the lack of transparency.

[bin_bash]

It's ok: Bob says "Trust as our #1 value".

[tomatowurst]

can somebody fill me in what happened? is this related to the oAuth vulnerability through github a while back?

[bin_bash]

They got hacked about a month ago and have been extremely cagey about what exactly was hacked ever since.

Turns out the master database with encrypted username/passwords got leaked and encrypted environment variables were also leaked but it was like pulling teeth to get them to answer whether or not these happened or even admit that it might have been possible. Presumably more than this was also leaked but so far they haven't said anything on that. Env vars were the biggest concern on everyone's mind.

They gave the absolute least amount of information over the longest period they could muster.

The problem wasn't the hack really, it was the lack of transparency in the response.

See: https://twitter.com/jacobian/status/1522782890957819906

[tomatowurst]

> Turns out the master database with encrypted username/passwords got leaked and encrypted environment variables were also leaked

WTF!!!!

That alone is disastrous enough, they should be reprimanded for this. Are there I'm sure, class action lawsuits happening?

How much of an impact will this have on Salesforce? I mean imagine the data from that alone would be immensely valuable.

[bin_bash]

I should've said "hashed" not encrypted passwords. But the env vars are the real problem. They haven't categorically dismissed the hacker somehow getting access to the actual environment variables either. Only said there isn't evidence of that happening.

If it comes out that the hacker did get to unencrypted env vars I think it's game over for Heroku. Nobody should trust them with sensitive data.