Skip links

Communication around Heroku security incident dubbed ‘train wreck’

Efforts by Salesforce-owned cloud platform Heroku to manage a recent security incident are turning into a bit of a disaster, according to some users.

Heroku has run security incident notifications for 18 days and appears to have upset several of its customers due to a perceived lack of openness and communication.

The most recent status update from just prior to midnight UTC on 3 May read: “A subset of Heroku customers will receive email notifications directly from Salesforce Incident Alerts ( regarding our continuous efforts to enhance security.”

“We recommend that you reset your user account password,” was the best advice the platform’s support could give, said one Heroku user on Hacker News. Others harbored some healthy curiosity about what might lie behind the advice.

One customer said they’d invited the Salesforce incident handler to provide a “statement that confirms whether or not config variables and secrets were accessed, or that you’re not sure.”

According to the post, they received the reply: “We currently have no evidence that Heroku customers’ secrets stored in config Var were accessed. If we find any evidence of unauthorized access to customer secrets, we will notify affected customers without undue delay.”

Lack of clarity over whether “no evidence” simply meant Heroku did not know further alarmed users.

“Law of No Evidence: Any claim that there is ‘no evidence’ of something is evidence of bullshit,” one user pointed out.

“This is turning into a complete train wreck and a case study on how not to communicate with your customers,” another added.

The incident began when the Heroku’s GitHub access tokens were compromised.


So, what happened with GitHub, Heroku, and those raided private repos?


A statement on 15 April said: “We’re actively investigating a report received on April 13, 2022 from GitHub that a subset of Heroku’s GitHub private repositories, including some source code, were downloaded by a threat actor on April 9, 2022. We proactively notified our Heroku customers regarding this issue and will continue to provide updates to assist them as the investigation continues.”

The news followed a 12 April statement from GitHub Security which said an investigation had found an attacker had abused stolen OAuth user tokens — an open standard for website or application access delegation — issued to Heroku and Travis-CI to download data from several organizations.

By April 27, GitHub said it was sending out its final notifications to impacted customers, and said the attackers used the stolen OAuth tokens issued to Heroku and Travis CI to list user organisations before choosing targets and cloning private repositories.

Its analysis of the attacker’s pattern of behaviour suggested they were only listing organizations in order to identify accounts to target for listing and downloading private repositories, GitHub said.

You can read our analysis of the incident here.

The Register has asked Heroku’s parent Salesforce to comment. ®