Users complain about Heroku’s incident management communications • The Register

According to some users, efforts by Salesforce-owned cloud platform Heroku to handle a recent security incident are turning into a disaster.

Heroku has been running security incident notifications for 18 days and seems to have frustrated several of its customers due to a perceived lack of openness and communication.

The most recent status update just before midnight UTC May 3, read: “A subset of Heroku customers will receive email notifications directly from Salesforce Incident Alerts ([email protected]) regarding our ongoing efforts to improve security. “

“We recommend that you reset your user account password,” was the best advice platform support could give, mentioned a Heroku user on Hacker News. Others harbored a healthy curiosity about what might be behind the advice.

A customer said he asked the Salesforce incident handler to provide a “statement that confirms whether or not configuration variables and secrets have been accessed, or that you are unsure.”

According to the message, they received the response: “We currently have no evidence that Heroku client secrets stored in the Var configuration have been accessed. If we find evidence of unauthorized access to client secrets, we inform affected customers without undue delay.”

The lack of clarity as to whether “no evidence” simply meant that Heroku didn’t know of any other alarmed users.

“Law of No Evidence: Any claim that there is ‘no evidence’ for something is bullshit evidence,” one user pointed out.

“This turns into a complete train wreck and a case study of how not to communicate with your customers,” added another.

The incident started when Heroku’s GitHub access tokens were compromised.

github

So what happened with GitHub, Heroku and those hacked private repositories?

READ MORE

A April 15 press release said: “We are actively investigating a report received on April 13, 2022 from GitHub that a subset of Heroku’s private GitHub repositories, including source code, was uploaded by a malicious actor on April 9, 2022. We have proactively notified our Heroku customers regarding this issue and will continue to provide updates to assist them as the investigation continues.”

The news follows an April 12 statement from GitHub Security that said an investigation found an attacker misused stolen OAuth user tokens — an open standard for delegating access to a website or to an application – issued to Heroku and Travis-CI to download data from multiple organizations.

On April 27, GitHub said it was sending its final notifications to affected customers and said attackers used stolen OAuth tokens issued to Heroku and Travis CI to list user organizations before choosing targets and cloning. private repositories.

Its analysis of the attacker’s behavior suggested that it was only listing organizations to identify accounts to target to list and download private repositories, GitHub said.

You can read our analysis of the incident here.

The register asked Heroku’s parent, Salesforce, for comment. ®