[mepiethree]

11 days ago they said "While we confirmed that the threat actor had access to encrypted Heroku customer secrets stored in config var, the secrets are encrypted at rest and the threat actor did not access the encryption key necessary to decrypt config var secrets."

I guess that was a lie?!

[bibinou]

the subsequent blog post (https://blog.heroku.com/we-heard-your-feedback) says:

> Additionally, we have no evidence that the attacker has accessed any customer accounts or decrypted customers’ environment variables.

which, as pointed out in its HN thread, means "we now know they got access to encrypted vars, and we don't know yet if they could have decrypted them." in BS-speak.

The title "We've Heard Your Feedback" is also a red herring, usually means "we know we fucked up bad and we still have no idea of the whole impact of the breach".

[himeexcelanta]

HN with the quality security advice, with all the recommendations to rotate config vars just to be safe.

[bigDinosaur]

I can't think of a reason to not rotate credentials and variables the second you see a security incident of this scale even when it was in the very earliest stages. Better safe than sorry, and also a good time to review just how easy it is to update all the variables (is it automated & scripted, where are they stored and generated, etc.)