Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Heroku bans 10 year account without notice or explanation
182 points by nicholasreed on Aug 20, 2021 | hide | past | favorite | 25 comments
I've been a paying Heroku customer for a decade, with multiple businesses (a surf company, tennis reservation system) and personal projects hosted without issue.

On Tuesday, I woke up to sites down and my login not working. No emails from Heroku. After emailing support, I got an automated response that I'd been banned for violations of the Acceptable Use Policy. No details, just instantly dropped.

I've sent 10s of emails to every Heroku and Salesforce support and security department, called the SF offices, and tried social media. I still have no idea why my account was suspended, and apparently I have no recourse to get my company data back (backups, credentials...everything is through the Heroku login).

Heroku is trying to put me out of business, I recommend you leave them before they do the same to you!




Once again, never ever commingle customer accounts, one bad apple ruins it for all of them. Create a new (in this case, Heroku) account for each customer, no exceptions

Story time: I worked for a major marketing firm that did this with Facebook. we would see accounts go down every once in awhile and it turned out the managers of the companies that cried foul were doing foul things which we would have to resolve (bonus: extra $$$ Too). One Saturday our monitoring started chirping only to find all Facebook accounts were deactivated. It took us 10minutes to realize we did not change our tooling to support their api changes. These are well known name brands that were completely down. That was the first time I have seen an entire company scramble to resolve an issue, but we were back up and hobbling around within 2 hours.

Always separate accounts.


Can you link a single credit card to multiple accounts?

Also, if they notice the same people, from the same IP, with the same credit card, (...), are running a bunch of accounts, why wouldn't them ban it all after a ToS violation?


Because maybe what you described isn’t a violation of terms of service. Do you always start companies without consulting a lawyer?

Sorry for the snark, but this seems like a thinly veiled attempt at a troll


I don't think they are trolling; I have exactly the fear that somehow now my email, IP, all linked credit cards on other accounts, etc, are about to be autobanned by the same broken process that got me to this point.

The biggest concern is the complete lack of transparency in why the account was suspended; was I hacked and I need to protect other things? Was my customer data accessed? I haven't the faintest idea, which is a helpless feeling.

I had planned for outages, disconnects, etc, but literally EVERYTHING is behind the Heroku login; because I never considered anything I was doing remotely bad, I never considered I'd be suddenly unable to login to every 3rd party backup service, access environment variables, etc.


You are not your end users. I’ve had services terminated because script kiddies attacked me. Literally nothing in my control, it was bad optics for the provider (and their customers). So you must find a way to insulate yourself. Multiple accounts is the way.

Think of it like this, when you are doing your accounting you don’t put everything on a single line item, you separate by customer to understand where your profit and losses are occurring. Same with service accounts


I'm not trolling. The trouble is that the systems that ban people from cloud platforms are largely automated. And if you trip a wired you have no recourse to talk with an human being, so the actual written lines in the ToS aren't very relevant.


At a certain size, your org should be a resale partner with whatever cloud service it is, so the end customers are getting their own accounts. This varies by size and $$$ spent.

Credit cards should never be linked across accounts thanks to PCI-DSS complince

Same IP ban is also not likely unless you are actually doing nefarious things across multiple accounts. I am also making the assumption you are connecting from some business account and not a residential ISP, though that is changing thanks to covid. FWIW, I have worked at many companies where offices of 300-500 proxy outbound traffic to a single IP, that’s why I don’t believe this is a concern.

The ultimate problem is when you have several logical partition but no billing partition. Also the large marketing firm I worked at had zero phone support with Facebook and Google, yet we did this all day (with a single IP address).

This all boils down to one common thread: you should be taking advice from a lawyer on whether the terms prevent such actions and to have a business continuity plan. If the vendor does something egregious, like shutdown all accounts, then your lawyer can ship them a nice letter which will get their attention


> Credit cards should never be linked across accounts thanks to PCI-DSS complince

Afaik, PCI-DSS doesn't prevent you to store cryptographic hashes of card. Therefore cards still could be linked with hashes.


> At a certain size (...)

I think this is key.

> Same IP ban is also not likely (...)

Thanks for answering! I had no idea.


I'm so sorry. This sounds incredibly stressful for you and the businesses you support.

While you're working towards a resolution with Heroku, it might be possible to bring up some of these apps relatively quickly on Digital Ocean's App Platform since it uses many of the same buildpacks as Heroku: https://docs.digitalocean.com/products/app-platform/build-sy...

This won't help in the cases that need data for proper restoration, but perhaps it'll get some the businesses you support taking reservations again sooner.

One benefit of having chosen a buildpacks based platform is it's easier to move than most proprietary or bespoke approaches.


Redeploying on another platform was relatively easy to do.

Losing 10 years of data and information for all future reservations, etc. is harder to recover from. Not to mention the fact that I still have no idea if i was simply hacked and I should be trying to notify customers (customers of which I now have no record, because, again, all data and backups on Heroku-linked services).


I am sorry that it is to late and I know it is not helpful, but:

Always, always, always do a backup with an unrelated 3rd party. Being it a harddisk in your safe, AWS Glacier, whateverservice.

If you do backup with your main and only provider, you are going to loose (data). Related: See burning OHV data center (customers loosing backup because they were in same datacenter).


Ah yes, the old "small company get bought by a huge company, now you can't get customer service on the phone unless you're a whale".


Yep. It's better to assume this can happen. Still very unfortunate :(

I am just finishing https://deploymentfromscratch.com/ for anybody that wants to learn how to do it.


Do you have any sample chapters? The chapter titles are underlined like links but don't seem to go anywhere.


Can this be applied to self hosting on something like a raspberry pi?


Hi. Almost everything in the book is still applicable. You would probably have a Debian based-distribution there, but if you already use APT, there is no trouble switching from DNF. Debian is systemd based so most things apart from package manager apply.

I don't talk about on-premise specifically, but if you control your router, you can open specific ports and forward them. You might want to make sure your Raspberry has a static IP (and not dynamically assigned).


Really sad the hear this. The advantages of a managed service (Paas) are easily out weighted when they decide to shutdown your company...and with Heroku, Firebase, etc there is technology lock-in.


I could recommend Dokku and Ledokku as they are a fine self-host alternative for small PaaS operation needs.

- https://dokku.com/

- https://www.ledokku.com/

If you don't like to self-host, I've been happy with onrender for my PaaS needs. and Vercel/Netlify are excelent for your frontend needs.


The problem with *AAS is one day they decide they don't like you and you're caught out in the rain. It's pretty difficult to gauge when and if that will happen and thus assess the risk.


This is very worrying - do update this thread if you can get a resolution on this. I'm surprised to see this to be honest, but it's a good reminder to all who use cloud services to have a strong "fire alarm" plan whereby you can deploy quickly elsewhere without too much downtime to your app customers.


Downtime is one thing, data loss is another. Easy to redeploy elsewhere, but backups/etc were all on heroku-linked services.

I'll definitely be updating the thread with however the now-started legal process plays out.


I hope you get data back at least. Can I ask why did you consider a cloud host initially?


Easy deployment and scaling of resources a decade ago, familiarity and not too expensive to switch as time has progressed (of course I host things elsewhere, just have a lot of client/personal data on Heroku).


Try metacall instead: https://metacall.io




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: