Security News > 2022 > May > Communication around Heroku security incident dubbed 'train wreck'
Efforts by Salesforce-owned cloud platform Heroku to manage a recent security incident are turning into a bit of a disaster, according to some users.
The most recent status update from just prior to midnight UTC on 3 May read: "A subset of Heroku customers will receive email notifications directly from Salesforce Incident Alerts regarding our continuous efforts to enhance security."
According to the post, they received the reply: "We currently have no evidence that Heroku customers' secrets stored in config Var were accessed. If we find any evidence of unauthorized access to customer secrets, we will notify affected customers without undue delay."
Lack of clarity over whether "No evidence" simply meant Heroku did not know further alarmed users.
A statement on 15 April said: "We're actively investigating a report received on April 13, 2022 from GitHub that a subset of Heroku's GitHub private repositories, including some source code, were downloaded by a threat actor on April 9, 2022. We proactively notified our Heroku customers regarding this issue and will continue to provide updates to assist them as the investigation continues."
The news followed a 12 April statement from GitHub Security which said an investigation had found an attacker had abused stolen OAuth user tokens - an open standard for website or application access delegation - issued to Heroku and Travis-CI to download data from several organizations.