I'm at least pleased with the way they handled the vulnerability. They seem to be making preventative changes for the future which is the main thing.<p>As much as I'd like everyone to be diligent about security as David suggests, I don't think it's going to happen. Developers aren't security or admin experts but they (me included) want a way to deploy apps without it being a major hassle. Handing off security to the provider is one of the big reason there are > 100K apps on Heroku, and it's a calculated cost/risk tradeoff.
Which platform was this?<p><i>"For example, one Node.js platform provider that has been in the news recently was hacked in the past few days and all of their user databases were deleted. The reason why? They accidentally published their database password on GitHub. Oops."</i><p>This doesn't really surprise me, considering everyone and their mother is currently building "Heroku for Python/Node.js/[hot technology]".
This sort of hosting is basically no different than a typical 'shared host'. Why is there no 'heroku for PHP'? Oh... because those have been around for 8 years+ and are called 'shared hosts with Apache/PH/MySQL'.<p>I've looked around on a couple of hosts, 1and1 and I think he.net and found that it was quite possible to go looking around in other users accounts through the shell.<p>I'll stick with VPSs and dedicated servers.
Ugh. And to think I was worried about the implications of user privilege exploits on Heroku (well, I still am). Turns out there was no need to be so fancy!