Heroku hacked

Saw this from Hackernews.


Haven't read in full yet, but it seems like their internal DB was hacked, which leaked oAuth token for Github, which should allow hackers to have access to your private repositories.

If you have some keys hardcoded into your code, you might want to rotate those.


  • armandorgarmandorg Services Provider

    @Daniel said:
    TIL Heroku is owned by Salesforce

    Salesforce, We Bring Companies and Customers Hackers Together

    Web Design Agency - Custom Web Designs
    WHMCS.design - WHMCS Themes | Blesta.shop - Blesta Themes

  • I received a mail 2 days ago from Heroku. Nowhere in their mail they said nothing about "they were hacked" except a link to a status report which shows Github repos being downloaded. I thought it could be just invalidating old credentials and forcing customers to use better password. Now the story is different.


    Heroku will start resetting user account passwords today, May 4, 2022, as mentioned in our previous notification. We recommend that you reset your user account password in advance here and follow the best practices below:

    Minimum of 16 characters
    Minimum complexity of 3 out of 4: Uppercase, Lowercase, Numeric, Symbol
    Don't just add a letter or a 1 digit number to the existing password while changing
    Passwords may not be duplicated across accounts

    If you do not reset your password and your user account password is reset by Heroku today, your existing password will no longer work. To log in to Heroku, you must reset your password by accessing the Heroku login page and clicking the "Forgot your password?" link . Due to the nature of this issue, you may be required to reset your passwords again in the future.

    NOTE: A password reset will also invalidate your API access tokens. As a result, any automations you’ve built to integrate with the Heroku Platform API that use these tokens may result in 403 forbidden errors . To avoid downtime you will need to re-enable direct authorizations by following the instructions here and update your integrations to use your newly generated token.

    As an added precaution, we strongly recommend enabling Multi-Factor Authentication (MFA) by following the guidance in the MFA article in the Heroku Dev Center. To ensure you have a backup to your primary MFA verification method, we also suggest setting up recovery codes.

    We sincerely regret any inconvenience you may have experienced because of this issue and appreciate your trust in us as we continue to make your success our top priority. Please continue to visit status.heroku.com for the latest updates.

    If you used your previous password on any other sites, we highly recommend you also change your password on those sites. If you have any questions or require assistance, please open a case with Heroku Support.

    Thank you,


  • edited May 2022

    @Boogeyman said: Nowhere in their mail they said nothing about

    Well ofcourse lowend @deank, they are not gonna announce they had been hacked in their mail, it's bad for publicity. I got the same mail myself. Luckily [in a world of Docker] noone should ever use Seppuku i mean Heroku.

    Thanked by (2)cybertech pikachu
  • It's not being hacked.
    it's just surprise guests in a party.

    ♻ Amitz day is October 21.
    ♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.

Sign In or Register to comment.