Heroku April 2022 Incident Review

&gt; We began investigating how the threat actor gained initial access to the environment and determined it was obtained by leveraging a compromised token for a Heroku machine account. We determined that the unidentified threat actor gained access to the machine account from an archived private GitHub repository containing Heroku source code. We assessed that the threat actor accessed the repository via a third-party integration with that repository. We continue to work closely with our partners, but have been unable to definitively confirm the third-party integration that was the source of the attack<p>So they still don&#x27;t know how it happened.

&gt; Additionally, according to GitHub, the threat actor accessed and cloned private repositories stored in GitHub owned by a small number of our customers. When this was detected, we notified customers on April 15, 2022, revoked all existing tokens from the Heroku Dashboard GitHub integration, and prevented new OAuth tokens from being created.<p>Various customers received an email from Heroku on April 15 saying &quot;We value transparency and wanted to notify you of an incident we&#x27;re actively investigating that may lead to unauthorized access to your GitHub repositories connected to Heroku.&quot;<p>The way this incident review (to call it a post-mortem would be an insult to those who write good post-mortems) phrases things, customers have no way of knowing if that email meant they were one of those &quot;small number of customers&quot; or not. And what is a small number, anyways? Is 49% of customers a small number of customers? It&#x27;s an absurd situation.

Side note on Heroku: they&#x27;ve been very aggressively upgrading old app dependencies this week (I&#x27;ve had ~9 apps go down for mandatory Postgres maintenance in the last 24h, with almost no notice for some of them). With how little information they&#x27;ve given regarding this incident, I can&#x27;t help but wonder if it&#x27;s related.