[bradleybuda]

Text of the email:

At Salesforce, we understand that the confidentiality, integrity, and availability of your data is vital to your business, and we take the protection of your data very seriously. We value transparency and wanted to notify you of an issue affecting your account. Based on current progress, we plan to complete our investigation by May 30, 2022. We are continuing with remediation activities and plan to publish additional information about the incident once it’s resolved.

As reported on status.heroku.com, on April 7, 2022, a threat actor obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. On that same day, the threat actor downloaded data from another database that stores pipeline-level config vars for Review Apps and Heroku CI. This was identified on May 16, 2022, after further forensic investigation. We have no evidence of any unauthorized access to Heroku systems since April 14, 2022.

As a result, any secrets you set in Review Apps and Heroku CI config vars may have been compromised and should be rotated. In addition, any Heroku tokens stored in these pipeline config vars would potentially have allowed access to your Heroku account between April 7, 2022 and May 5, 2022, when your passwords were reset, invalidating all Heroku tokens as a result.

Please note, these pipeline-level config vars are different from standard app config vars. App config vars were not stored in this database and we have no evidence to suggest app config vars were compromised.

[hthrowaway5]

> At Salesforce, we understand that the confidentiality, integrity, and availability of your data is vital to your business [...]

Hey Bob, why didn't you tell your customers a month ago to rotate their creds just to be safe? This is flat out insulting.

[yeskia]

What's more - the public status page of this security incident (https://status.heroku.com/incidents/2413) doesn't mention that these secrets were compromised. They chose to send this notification privately instead.

[glenngillen]

But… “We value transparency…”

Give me strength.

[imdsm]

The true masterstroke though is shutting down Heroku so that the negative press of this doesn't affect it. "What is dead may never die!"

[krono]

> At salesforce.com, inc., trust is our #1 value

Their legal pages[1] are filled to the brim with those ridiculous statements. I never understood why they'd even bother making it sound nice, especially not for B2B.

Customers won't trust the message and likely can't use them in court, and they themselves must surely know they're creating expectations that they can't guarantee to meet.

[1] https://www.salesforce.com/company/legal

[tarsinge]

Regarding values I like to ask myself if another company would defend the opposite for smelling emptiness.

[bslorence]

Reminds me of Jakob Nielsen's rule for writing a good "About" page. If you can insert a "not" into a sentence and get something that no other company would ever put on their own About page, the sentence is worthless.

[jchw]

Is Salesforce potentially in violation of EU law regarding data breach notifications? It seems like they either knew the scope of the breach was likely to be much bigger (based on the fact that the investigation was ongoing) or flat out had evidence that it was already. But that said, I don’t know how that all works. So I’m genuinely curious if there’s a possibility this is illicit.