Just received this email from Heroku. Given the timeline it seems like the breach is pretty serious.
"As part of our efforts to enhance our security and in response to an incident published on status.heroku.com, we wanted to inform you that we will begin resetting user account passwords on May 4, 2022. We recommend that you reset your user account password in advance here and follow the best practices below:
Minimum of 16 characters
Minimum complexity of 3 out of 4: Uppercase, Lowercase, Numeric, Symbol
Don't just add a letter or a 1 digit number to the existing password while changing
Passwords may not be duplicated across accounts
If you do not reset your password and your user account password is reset by Heroku on May 4, 2022, your existing password will no longer work. To log in to Heroku, you must reset your password by accessing the Heroku login page and clicking the "Forgot your password?" link . Please be aware that you may be required to reset your passwords again in the future. "