[tflinton]

I'm actually impressed that Heroku despite so much backlash refused to enable it until they were certain it was secure. Even if it took forever and no doubt probably lost them significant customers.

My armchair guess is whatever method someone used to gain access more than likely took an architectural change to fix.

[joeconway]

My anecdotal understanding is that it has been GitHub who has been apprehensive to allow Heroku to reenable and not something Heroku could be lauded for

[SkyPuncher]

The way they handled this was atrocious. It token them a month to identify and recommend secret rotation - after having communicated they didn't feel it was necessary. That can't happen from a PaaS provider.

[__alexs]

It's not entirely clear that they do know it's secure given they don't seem to know how the attacker gained access in the first place.