Hacker News new | past | comments | ask | show | jobs | submit login
Heroku resetting passwords for “a portion” of their users immediately
340 points by vorador 16 days ago | hide | past | favorite | 169 comments
Just received this email from Heroku. Given the timeline it seems like the breach is pretty serious.

"As part of our efforts to enhance our security and in response to an incident published on status.heroku.com, we wanted to inform you that we will begin resetting user account passwords on May 4, 2022. We recommend that you reset your user account password in advance here and follow the best practices below:

Minimum of 16 characters Minimum complexity of 3 out of 4: Uppercase, Lowercase, Numeric, Symbol Don't just add a letter or a 1 digit number to the existing password while changing Passwords may not be duplicated across accounts If you do not reset your password and your user account password is reset by Heroku on May 4, 2022, your existing password will no longer work. To log in to Heroku, you must reset your password by accessing the Heroku login page and clicking the "Forgot your password?" link . Please be aware that you may be required to reset your passwords again in the future. "




This is turning into a complete train wreck and a case study on how not to communicate with your customers.

For those of you that haven't been following, Heroku has been adding non-update updates to this security thread over the last couple of weeks, which began with the announcement that some (or maybe all) of their GitHub granted access tokens had been compromised: https://status.heroku.com/incidents/2413

Now, weeks later, we're hearing that all account passwords are being reset, and for some reason if you have been using an HTTPS-style log drain that you should reset any secrets related to it as well.

Heroku needs to come out and clearly state what they know about this situation, and more importantly what they don't know -- which is starting to sound like the answer is "a lot". It's not even clear they know how this all happened -- whatever door was left open might still be open. So if you've gone and rotated all of your application secrets (which you probably should do), be prepared to rotate them again when this is all over.


It's a small comms 101 thing, but the email is from "Salesforce Incident Alerts". Since the email's communicating to Heroku customers about a Heroku incident, the email should be from "Heroku Incident Alerts".

I know it's small, but some will skip the email because they don't use Salesforce software directly and wouldn't anticipate emails from a parent company.


Its small and deliberate. Setting the mental state of the customer to obfuscate the responsible party by throwing in Salesforce. A deliberate dark pattern.


Another small point that contributes to the poor communication - as of 4th May, the option to connect to Github is still there and the documentation hasn't been updated [1]. If you try to connect you get an obscure error that tells you nothing about the situation.

[1] https://devcenter.heroku.com/articles/github-integration


Yep, I would have 100% skimmed past that.


I just received an email back from an Incident Handler at Salesforce. I wrote:

> A statement that confirms whether or not config variables and secrets were accessed, or that you're not sure, needs to be sent out.

To which they replied:

> We currently have no evidence that Heroku customers’ secrets stored in config Var were accessed. If we find any evidence of unauthorized access to customer secrets, we will notify affected customers without undue delay.

Take that as you will, but it doesn't fill me with confidence.


https://thezvi.wordpress.com/2021/12/20/law-of-no-evidence/

> Law of No Evidence: Any claim that there is “no evidence” of something is evidence of bullshit.


What else can you say?

It's impossible to know if a vulnerability was exploited.


"We don't have enough information to determine whether or not this vulnerability was exploited. We are operating under the assumption that is has been." is what I want to hear. I do not want to hear "We have no evidence that the vulnerability has been exploited." which, of course, minimises the fact that it may have been and does nothing to communicate what assumption they're working under - i.e. that they're probably going to assume it hasn't been exploited.

TL;DR: I'd rather them be entirely up front about the fact that they can't tell if it has been exploited and advise you to assume it has been than them try to weasel out of saying their logs aren't good enough but "you'll probably be alright, eh".


> We are operating under the assumption that is has been.

This gets expensive quick.


Probably the reason people try to avoid security incidents

In this case it's already happened, time to spill the bag


"If you think safety is expensive, try an accident!" - Stelios Haji-Ioannou


Which really means that if you discover a vulnerability in your system, you assume that it was fully exploited.


Reality: You can’t prove a negative.


Why? I think it's pretty evident that there's no reason to believe there's been a security breach there as far as they understand as of now.


There was certainly a breach three weeks ago that they seem to have been investigating since. I am, like the commenter above, not filled with confidence about their statement, mostly because of the total lack of transparency so far.

The fact they’re only now sending additional notifications to rotate creds hints at something bigger than they initially announced, but really we have no idea since they never gave much detail in the first place.


There was a security breach. They don't know what the breach was, they don't know if the attacker has access to other systems, they just don't know.

No evidence of something is not particularly useful information if you weren't even looking out for it in the first place.


Github tokens were accessed and used to attack things outside of heroku. Something was breached. We don't know what, when it occurred and extent of the breach and I bet heroku doesn't know either.


So the original issue was described as a leak of github oauth tokens, and made it sound like the risk would be someone using oauth tokens to access github repos.

Resetting passwords implies something else may have been compromised (passwords, either hopefully encrypted), but is a pretty scary ask for them to make without providing more context here.

Trainwreck indeed.


I certainly hope that passwords aren't encrypted but run through an appropriately-expensive password hash.


Yes, I should have said hashed not encrypted.


hashing is one-way encryption tho


That's the point, take a look into salting + hashing passwords


Resetting the password resets your API key, which is different from the Oauth tokens.


I found the email I received about the logdrain today to be particularly confusing. "any secrets related to it" indeeed. The specific wording in the email was... "We recommend updating and refreshing the credentials used with those log drains as soon as possible."

I'm still not entirely sure if I've reset/rotated everything I need to, what is "any credentials used with"? Neither the email nor any docs it linked to was clear about exactly what they are suggesting be rotated.

That message wasn't very specific, while also they're not providing the context about the breach that one could use to fill in the gaps.

At this point it kinds of sounds like... everything there is was compromised?


Very confusing! To clarify for others, what they mean is that if there was a secret embedded in the log drain URL, rotate it. This is often the case for HTTPS log drains.

Example: https://datadog.com/logs?api_key=abc123


>If you used your previous password on any other sites, we highly recommend you also change your password on those sites.

This is the most concerning part of that email, as it implies more than an "out of an abundance of caution", but rather that they suspect their password DB has been compromised.

Thinking about it, it does sound the most likely as they were probably the same DB the customer oAuth tokens were stored in that were used to access Github repositories. But if they already knew the data was stored together why wait till now to reset passwords?


Just to verify - having TOTP-based 2FA enabled doesn't help in case of a password DB breach, right? Since the protocol is based on a shared password, which means an attacker would be able to generate valid tokens using the secret they got from the breach. (looks like there's work underway to make a breach-resistant alternative to TOTP[1])

This means that assuming the DB is using proper salt+hash, the main differentiator is the strength of your password. If it's a relatively short one that can be brute-forced/found via dictionary+small mutation, then attackers could possibly log in as you. If it's a strong password from a password manager, then that will likely have kept them from being able to crack your password.

Of course all this only has value if we assume that only the password db was breached. If they managed to access the place your env-var/secrets are stored, then all bets are off.

[1] https://www.mdpi.com/1424-8220/20/20/5735/htm


I don't understand enough about the protocol to judge your claim, but it's challenging my assumptions about what 2FA is for. If 2FA with TOTP does not protect you in cases where the attacker knows your password... what is it for? I thought that's what it was for.


The server also contains the secret, so if that secret is leaked then the attacker can generate new tokens. It protects you in the case that your password was stolen, but nothing else e.g. via phishing.


OH, I see, thanks. The password and TOTP secret are separate, but you're suggesting they may likely both be stored in the same place such that a breach could give attacker access to both. Tell me if I don't have it right.

It occurs to me that I know how to reset my password most places I log in to, but I actually have no idea how to reset the TOTP secret.


It might be stored separately, the issue is just with an uncontained breach I suppose.


Heroku used to be freaking awesome, back in 2012. Ever since Craig Kersteins left circa 2015-ish, the UX, QoS, and platform really seem to have taken a dive into the complexity and nonsensical deep end.

It's what happens when the product visionaries get bored and leave. Such a shame.


Don't want to comment too much on this thread as I don't know the exact details of the incident and pulling for the team that is still around as I know this can't be an easy time for them. It does seem like the issue is not good and may continue to be trickle of updates like this for a while. Hugops to the team.

A wow, and thanks for the praise but the credit goes to way more than me. The team around in the early days was unbelievable, I learned a ton on building products and developer experience from James/Adam (founders) in particular, though Heroku wouldn't have gotten there without Orion (the other founder) as well. Byron, PvH, Mark, Noah, Morten, Oren were absolutely huge in so many ways to the leadership and direction of Heroku. And I'm sure I'm going to get messages from 50 others there in the early days that I didn't name drop them, the collective team was an awesome team and pushed each other really well.

At around 2015 it did feel like there was attrition and the technical leadership and vision started to fade. It wasn't me, it was a lot of us moved on to the next thing. At the time it wasn't Salesforce taking control or one person, we'd all put a lot into it and various folks moved on. Adam/Orion/James gave an incredibly amount and were understandably ready to recharge. Still very proud of what we created at that time, what it did for developer experience, and personally (along with that original Heroku Postgres team) trying to do what I describe as unfinished business for creating the amazing developer experience of Postgres.


Wasn't trying to imply it was all you, only that some of the qualitative declines I've observed began around the time you departed.

I know it's not an easy business to operate, and I'm also hoping the ship continues to stay afloat. Heroku was hugely inspiring to me and many others in the early days of Cloud PaaS.

Cheers.


You're being downvoted because having a "product visionary" does not in any way protect your company from being owned. It happens. If your point is that previous leadership would have communicated the situation more clearly, then perhaps you have a point, but even then it's purely speculation and not particularly useful to the current discussion.


It's okay, thanks for the feedback.

Downvotes don't bother me, they are a welcome signal.


in this context "pwned" is probably a better fit; natch?


They sent out a notification about cycling shared dataclip slugs today too.


Is papertrail a log drain?


Yes it is. Note that OP's comment only applies to those who connected Papertrail to their Heroku apps manually instead of using the Heroku addon to do it.


No


How do you know that? And that it doesn’t need to also be rotated?


It does. My thinking is that Heroku rotated everything they could do on their own, and need users to handle custom drains. However, looking at the json output, updated_at dates for the heroku-managed drains are old. I have a question back them about that.

Related, my hope is that the drains, passwords, etc. are efforts towards doing literally everything possible before re-enabling integrations so they can do so with more confidence (vs breach damage control). Fingers crossed.


Fwiw, I skimmed over all emails I got until I saw this thread.


You and me both, buddy


This has gone from bad to worse very quickly.

The initial issue was supposedly a breach of customer repositories. Which sounds bad, but if you’re not storing credentials in code, then the worst case is that a potential hacker had access to download your code. Not great, but certainly not as catastrophic as some breaches have been.

Since then, Heroku has been acting beyond strange. Everyday they update the incident with essentially the same non-update, but written differently, with vague references to the same information they’ve sent 14 days in a row.

Now, they send another very ominous and strange update about “some” customers having their passwords reset. However, based on this thread and my own experience, it seems like every customer is getting this message.

What does this have to do with the initial issue? Were actual Heroku accounts compromised?

This behavior is either extreme incompetence wrt customer communication, or they’re preparing to announce a truly insane breach that may include everyone that has ever used Heroku.

They need to get their shit together and quickly.


> Since then, Heroku has been acting beyond strange. Everyday they update the incident with essentially the same non-update, but written differently, with vague references to the same information they’ve sent 14 days in a row.

There’s a simple reason for this: their incident response policy requires they not leave customers un-updated more than x hours/days. Their tooling likely reminds someone if it isn’t done.


+1. If you need another data point, the entirety of my Heroku presence is a single free plan toy app that has literally been untouched for many years at this point, and I got the password reset notification.


Just FWIW... I have an account I created in 2013 (based on a registration email.) It appears in my 1Password, imported from LastPass, so I probably logged in around/after 2016. No later than Nov 2018.

I don't have the password reset email, and logging in just asks me to add MFA, and then to accept 2020 terms.


For another data point, I got an email yesterday from "Salesforce" about a Heroku dataclip. I had recently deleted it, so maybe the email was queued up a couple days before. The email says, in part, "We recommend that you update and refresh the unique URL used with dataclips using Shareable Links as soon as possible."


The password reset mail is yet another train wreck.

I received this email. The reset password link in it is NOT https. If I manually change the http to https it turns out that the server, click.msg.salesforce.com, is returning a certificate that is only valid for click.s10.exacttarget.com


I think all this link does is redirects to the 'Reset password' page (i.e. https://id.heroku.com/account/password/reset), with email address pre-populated, then shows a button to email the user a separate reset password link.

So I think the lack of 's' in http in the original link doesn't matter.

If I'm wrong, could you please explain why (I am reasoning as best I can, and am not an expert, and keen to learn).


You are right, by itself it doesn't matter. All Heroku users should be smart enough to figure this out themselves.

However, Heroku should also be smart enough to figure out that all links should be https and servers should have valid certificates.

For a company to make such basic security-related mistakes while in the middle of a bad security incident doesn't look good, to put it politely.

It sort of explains how they got where they are.


With a non-HTTPS link, an attacker could trivially MITM the connection and forward it to a domain like id.hеrоku.com instead with a completely valid SSL cert with lock symbol. In case you can't realize, that domain is made up of unicode homoglyphs and would be nearly completely indistinguishable from the real heroku.com in some browsers. They could have a website resting on that domain that is indistinguishable from the normal heroku website and simply acts as a form proxy, relaying the real credentials provided by the user to the actual heroku website, performing the password reset successfully while storing the legitimate credentials permanently and additionally scraping the user's cookie to utilize their access to the panel post facto even if the user has 2FA authentication enabled. It's a monumental fuckup.


The real problem is having a link in the email at all. How many readers will check to make sure the email is from a non-unicode domain and that an https link in the email goes to a non-unicode domain?


I certainly couldn't tell the difference, wow.. id.hеrоku.com and id.heroku.com look identical to me. I see the problem now.

How hard is it for an attacker to do a MITM? Would the attacker need physical access to the user's wifi router?


pay for colocation with BGP access with a fake ID or compromise any BGP-announcing router in the entire world (I've found cisco routers with announce access, with default credentials, on networks that don't do any kind of prefix filtering many times before) and you can trivially MITM most any network in the world with very minimal impact. I recommend you watch to Kapela and Pilosov's talk from DEFCON 16 to see how easy it is: https://www.youtube.com/watch?v=oWdjsfsS_Do

or if you don't want to do it via BGP announcement you can just compromise any of the devices that are along the route between the client and the server. BGP is the rocket launcher of worldwide circuit compromise, but there's many other guns you can pick up


Thanks for the recommendation, was very interesting. 14 years old though, things would have changed since, I hope?


Nope, nothing has changed! You can still MITM with BGP in the exact same manner! BGP is like SS7 -- once you get access to use it, it is wide open and completely insecure and no effort has been made to use it. All its security is predicated on the idea that anyone with access will have too much on the line to abuse it, and responsibility for monitoring announcements for your own IP is considered your own problem. Ask around -- how many people in your social circle of admins keep track of rogue announcements? How many would notice if this were going on?

More colocation facilities in the US and Europe now do prefix filtering at egress - but this matters little, as there are still quite enough that don't. In contrast, there's virtually no prefix filtering in Africa or Asia (remember when an accidental BGP announcement from Pakistan killed YouTube worldwide?)


I guess a concern could be that since this URL is insecure, it could redirect you wherever assuming your network is compromised (either their malicious URL, or even HTTP for the legit Heroku site assuming you don't have HSTS on it).

Obviously, you've checked the URL and seen that it's legit after, but realistically you should expect a legit email to not be feeding you a potentially insecure link.


Right. If you're on top of things then using plain HTTP links here didn't make anything worse, but if you aren't it's yet another unnecessary gift to bad guys because it's yet another opportunity for customers to get phished.


Sorry, meant if the end user's network was compromised, not the server's.

Whether or not you're on top of your game, HTTP leaves you vulnerable to MITM attacks[0]. So this would leave the end user vulnerable to any of these attacks even assuming Heroku has everything else perfect.

[0] https://en.wikipedia.org/wiki/Man-in-the-middle_attack


Along with the vague status updates that provide no information, this has been the most shockingly bad part of the response from my POV, as well. This felt like a phishing email (I know it is not, but given that emails were likely compromised along with OAuth tokens, an attacker could totally be sending - even alongside a legit campaign running as announced on their status site). Would have expected a valid HTTPS cert on the links in an email as sensitive as this one!

Salesforce isn't a small new startup where this can be understood as a cost of doing business, they are a tier-1 provider to the largest companies in the world. Unacceptable (but still sending #Hugops to the team dealing with this mess!)


I use HTTPS-only mode in Firefox and this is incredibly common. I think a lot of services are sending all mail through a click-tracking services and a lot of these redirect via HTTP.


I assumed that was a phishing email and didn't proceed.


If it isn't a phishing attempt it would be really surprising to me that they would use http. BTW, https://exacttarget.com redirects to an official Salesforce product page, but that doesn't guarantee it to not be phishing.


> If it isn't a phishing attempt it would be really surprising to me that they would use http.

Why? Technical incompetence is a systematic problem that comes from the top down. This is what happens when mediocrity becomes acceptable and takes priority over correctness.

I would suggest moving all of your business from Heroku ASAP. These kind of mistakes strongly suggest nobody capable of intelligent thought makes decisions at Heroku, nor has for awhile.


> If it isn't a phishing attempt it would be really surprising to me that they would use http

Spammers are the first to adopt https and all the mail and dns security stuff. It never was a sign of legitimacy


The website seems to be down at least for me.


"Passwords may not be duplicated across accounts"

This concerns me. How are they checking that no other account has the same password? Wouldn't that imply a strong possibility they're either hashing with the same salt across all accounts or not hashing at all?

Hopefully some of the smarter folks here can tell me why I'm way off base...


Perhaps they assume that all of their users’ passwords are pwned essentially immediately, so they can check against haveibeenpwned.com.

More seriously, it ought to be possible to create a data structure that, with some degree of security, will efficiently state either that a password is probably in a set or that it’s probably not. A bloom filter can do this, for example. I would not do anything of this sort in production, since, even if it has the best possible level of cryptographic security, any such capability could be abused to precompute a dictionary containing at least a massively higher than average density of Heroku passwords.

IOW, the mere fact that Heroku can tell if a password is or was in use with decent accuracy is, in and of itself, a dangerous oracle.


“Sorry, this password is already being used by joseph.h.blow@gmail.com, please choose another.”


every so often i'll find a website that has logins that will say "email address / username not found" instead of "username or password incorrect"; or, when clicking "i forgot my password" it will say it doesn't recognize the email address instead of "check your email inbox, if you have an account here, you will receive instructions via email".

I don't even


You can remove username enumeration from login and password reset, but it's much harder to remove it from signup. And this is pretty much an all or nothing, there's no point giving cryptic error messages (in the case of forgot password) to users when hackers will just use the signup form anyways. Want a good example? Hacker News: "That username is taken. Please choose another." I just tried on github, generic error message on login, explicit "email in use" error on signup. Amazon? Same thing.

I'd wager that 99% of website allow username enumeration. The very few cases that don't, typically shield their signup with additional steps (captchas, mobile OTP (e.g. paypal, ...)). None of which are foolproof and all of which are a compromise not just from a security point of view but also from a usability point of view.

Until someone gives me a great way to do this with signups, I'm going to stick with the much more usable forgot password error message.


Hacker News has username enumeration anyway because it has per-user profile links which, like Reddit's, are cool URLs (ie the URL has the username in it, as a parameter, not some UUID minted by a machine at random).

Also, and again like (most of) Reddit, Hacker News is public anyway, it's outright weird to have a HN user, choose a distinct name for it when you didn't have to, and then be angry that HN reveals the existence of your user.

However, if sites have distinct username and email then getting one doesn't give you the other.


How about email validation as a first step and send the "this email is in use" message via email instead of on the sign up form.

Adds friction to signup, but would work when it's really important to not leak account existence.


I think this is a good idea. It's essentially what I mentioned with Paypal requiring OTP before the signup process starts up.

But as you said, it adds a lot of friction to something most companies want to be as frictionless as possible: signups. So it's a compromise. I don't expect many companies will opt for it, except, as you say, those where it's particularly important.

I stand by my reply, since my parent implied that username enumeration was rare (i.e. "every so often") and some awful security practice (i.e. "I don't even")


multiple salts can be stored, no? and they can still figure out the same password. Google does the same, even going back multiple passwords in the past ("this password was used previously X years ago").


How would you check that across accounts if you had per-user salts though?


Ah I see, that I don't know (and I misread the original, quite correctly concerned post, my apologies). I am a customer and I will follow up with them about this. If I were to guess, they mean same accounts within the same organization, in case account setup has been automated.


They could in theory hash the new password with every salt on every other account and see if there is a match... but that seems unrealistic, and if they can do it, it would imply that they are not using a slow hash algorithm such as bcrypt.


Yeah, that makes sense!


This is the response I got:

> Sorry, that part of the email wasn't clear. We don't compare passwords between Heroku accounts, this was more of encouragement so customers will hopefully practice good password hygiene.


It is easy to determine previous password. Just store the previous hashes with the salt and check it when the user changes the password. The too similar checks are easy when you require the previous password. You can compare the new and old passwords together.


I'm pretty sure they don't check. "May" now means "legal told us to ask you to PLEASE don't do this".

Related, I often see people trip on the sense of MAY in RFCs (https://www.ietf.org/rfc/rfc2119.txt), because in everyday use it has become "passive-agressive must".

edit: I'm ESL so might be reading way to much into this.


"may not" is kind of weird, and probably was a legal team decision. "passwords can not be reused" would imply security issues that an A+ certified fresh-faced intern would prickle at, but "should not be reused" is too mealy and "Do not feed the ducks"-ish.

Also while "MAY" in RFCs per that document mean something, press releases aren't RFCs and there may be significant amounts of money riding on the exact interpretation of what those words mean.

And "reading way too much into" is the bread and butter of lawyers, technologists, and mathematicians. Don't worry about it!


All you do is keep a history of Password + Salt. When you change the password you hash the password against all historical salts, if one of those matches then you know the password has been re-used.


Perhaps the haveibeenpwned.com API? Otherwise that does seem odd

https://haveibeenpwned.com/API/v3


Couldn't you freeze the current, compromised database and when a user tries to set their password, try to "log them in" to the frozen db?


What does that line even mean? Duplicated across what accounts? Obviously they aren't checking that every password across Heroku is unique.


That's how I read it. How else would the sentence make sense? Maybe they're saving a separate list of all passwords, saved with the same salt, but not associated with any account? Not sure how compatible that would be with the rest of their "security measures", but then again, their security policy is all over the place already.


not that they're using it, but this is something that a zk proof would be a good solution.


The fact that I haven't heard more about this Heroku breach makes me think that maybe fewer startups than I thought are actually using it.

I'm at a startup that's been on Heroku since its inception and this breach has got my team thinking about moving to AWS for the first time, even if our scale doesn't necessarily demand it yet.

Does anyone that has done this transition in the past have any advice?


There was a time when everyone I knew had a rails app on heroku, and I mean everyone. Now it's just one guy left. I don't know if this translates outside of my small social circle, but they all seemed to fade hand in hand, rails, and heroku in my local group.


Have been involved with 2 companies migrations from Heroku to AWS.

It all depends on your company resources. In my cases the companies were no longer startups and could afford to staff Platform/Infra teams and build out a bespoke solution on AWS. This was an area the company wanted to invest in.

If you're still a legit startup where money/dev resources is tight, I would recommend first looking into one of the Heroku clones/competitors.


We've been checking Render and Fly as they progress, they seem like the modern equivalents if you're not quite ready for AWS.


To be honest I've been on Heroku for a long time, but Render looks extremely appealing. Cheaper and more modern. The only downside is they don't have native support for PHP yet... still waiting on that to switch over.


Render is awesome and offers among the best platform-as-a-service experience available today, at a lower cost than Heroku. That said, you're still locking yourself into a black box (just like with Heroku).

Given the availability of tools like Coherence (www.withcoherence.com) that deliver a great developer experience in your own cloud, it makes sense to evaluate them alongside modern PaaS if you're migrating off Heroku today.

(disclosure, I'm a cofounder of Coherence).


Another thing to be mindful of with Render: currently there's no native high-availability Postgres / Redis.


We're also starting to look into this. We're already spending more than we need to, but depending on what this breach turns out to be, we very well may need to move to AWS to keep our enterprise customers happy.


Yeah, same here. I have accelerated my plans to move to either GCP or AWS. I am evaluating both and plan to move to Kubernetes... even though I'd been avoiding it as long as possible.


Check out Render


I'd already be on either fly.io or Render, but my company has a hard requirement for SOC2 and ISO27001 certification. Heroku has it, Render is working on it, but not there yet.


I didn’t use the GitHub integration and still received this email. That’s concerning, and to me, indicates a larger breach than they’ve communicated thus far.


Yes, same here. Looking like a really big breach is my guess given the strange wording and downplaying of the issue, combined with what we actually know (Heroku source code accessed; Github tokens leaked; some other tokens leaked and now mandatory password resets).


Just adding a "me too" to this thread. I just saw in my inbox my warning. I haven't used Heroku in roughly a decade. My last activity was circa early 2014, but mostly 2013.


Just got this email as well. They ask us to "reset" our password through a link inside the email itself which I won't do out of habit since this could be a phishing attempt for all I know. So could I just change my password on the site itself? Would that be the same thing as the "reset" that they're requesting of us or does the link inside the email set a special flag of some sort? The link is wrapped in some type of redirect so I can't really tell.


It's the normal password reset page


I have 3 different Heroku accounts of different vintages, one of which I haven't logged into in ages. Sure enough, each got the notice. So yeah, ready to call BS on this being "a portion" of users.


I didn't get the notice - heroku account from August 2019 that I haven't used since then.


Me neither. I never actually published anything, so that might be the reason.


UPDATE: Got the email 2 hours ago


I'm relatively new to Heroku (about 2 months) and haven't received a notification


I have 2 Heroku accounts. 1 received this email. The other has not.


Oh wow, I'm definitely alarmed by this whole situation.

I've went ahead and just deleted the whole account - it's at the point where I don't want to do business with this company, full stop.


may not be related - and def a tiny little data point -

I sent heroku an email about a week or bit more ago - complaining that I had gotten a very well crafted phishing email - which was seriously very clever in it's timing (or just blind lucky for them, as I was changing servers and dns and things within 48 hours of this) - that made it look I needed to login and do something with server credentials or something similar.. and the link to click to fill info went to a heroku app with a name attached to it..

So I emailed them and asked them to look into it to see if it was overly obvious that user XY was getting clicks and if they had set up some sort of official looking form to phish server accounts or something like that - memory a bit foggy in the midst of so many changes past couple weeks.

Never heard back from them, but maybe my email helped them realize some things were not being used as they should of been authorized to be used for. Maybe not.


This email arrived in the evening but this morning I received the hard word to switch to AWS - NOW! - instead of wasting time with Heroku. Several orders of magnitude more complex but probably the right answer.


We had some legacy applications running on Heroku. We're porting it over to our EKS infra over the next couple weeks. There has been no explanation how the Github keys got leaked and I can only assume the worst.


Nowadays there are many solutions that aren't AWS. Render, Porter, Fly.io to name a few.


I was wondering if that email was going to make it to HN.

This whole things has been an absolute s*tshow. Now I'm worried that there is a much bigger issue at play, and we might actually be in a bit of trouble.


Without reference to Heroku's current incompetence.

As a general thing, I like the idea of a "swift, well written" email to your entire userbase saying "please reset your password, now."

That seems like a perfectly reasonably response, and request of your user-base.


I'm wondering at what point we'll see more sites transition to server generated passwords. At login time, the UX of a server generated password is about the same for anyone who saves their password in a password manager, i.e. it autocompletes.

But at password generation time, it's much easier. You don't need to tell the user all these rules about length, complexity, reuse, etc. The server generates the password in a way that's sufficient, and the user just saves it. It also avoids the mess of password manager generated passwords not meeting some criteria, or passwords meeting client side checks but failing server side checks.

When you've got so many sites asking for passwords >=10, >=16 characters in length, is anyone actually able to memorize a truely unique password per-site any more?

Besides, a server generated password has known entropy, so you can model the security much more accurately. This push for really long passwords is to guard against low entropy passwords that users create, although users seem to respond predictably: [password] too short? I'll try [password]123 or [password][password].


That's all fine until there's a bug or attack and now your server generated password is logged somewhere.


Agreed, you don't want to log passwords. But that's not unique to server generated passwords, you also need to avoid logging user generated passwords as well.

I'd recommend storing server generated passwords in the same way a user generated password should be stored on the backend: bcrypt or scrypt.


(1) pretty crazy that that same incident is still ongoing/unresolved.

(2) just saw that the password reset will invalidate all API tokens. Arrrrggh. Annoying!


Heroku github connection has been broken for >14 days.

And heroku doesn't seem to acknowledge that at all.


That's not true. https://status.heroku.com shows that the incident is ongoing, that they've disabled the GitHub integration, and don't have plans to reenable it until full assessment is complete


Unless it's changed in the past hour, status.heroku.com shows a green checkbox and "No known issues at this time."


It's under tools. Click on that and you'll find that they turned off github.


You have to actually click on the general advisory of the email from Salesforce (which isn't obviously actually useful to click, there's no arrows indicating it'll expand or anything) and then you have to scroll down to an entry which isn't signposted.

Additionally, in two browsers, if I clicked to expand it, then clicked the 'back to current status' button, it errored out with the console full of errors and couldn't be clicked again, which doesn't fill me with too much confidence.

What a mess. I have fond memories of Heroku (or rather, how little I had to think about anything deployed to it. Liberating.)


That didn't even mention GitHub. It was a generic message about security


Account since 2021. No notice. Transparent as a brick wall, in true Salesforce fashion.


UPDATE: Just received a notice. Only spun up a single dyno to see what it was like for about 10 minutes in 2021. Never logged in again. No integration with GH or anythig.

Assume they've been pwned end-to-end based on this alert.


Again, stop it with the passwords.

Because passwords are shared secrets, the relying party (here Heroku) can lose them and then will predictably act like somehow this is your problem when it happens, see also "Identity theft" aka "We're incompetent and our money got stolen but it's convenient to pretend that's actually your money and ask when you'll fix it".

Use WebAuthn. If (when) outfits like Heroku incompetently lose the credentials nothing interesting happens.


New update at https://status.heroku.com/incidents/2413 as of MAY 5, 2022 02:21 UTC the core paragraphs are

> On April 7, 2022, a threat actor obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens. Access to the environment was gained by leveraging a compromised token for a Heroku machine account. According to GitHub, the threat actor began enumerating metadata about customer repositories with the downloaded OAuth tokens on April 8, 2022. On April 9, 2022, the attacker downloaded a subset of the Heroku private GitHub repositories from GitHub, containing some Heroku source code.

...

> Separately, our investigation also revealed that the same compromised token was leveraged to gain access to a database and exfiltrate the hashed and salted passwords for customers’ user accounts. For this reason, Salesforce is ensuring all Heroku user passwords are reset and potentially affected credentials are refreshed. We have rotated internal Heroku credentials and put additional detections in place. We are continuing to investigate the source of the token compromise.


It feels a by developers for developers platform should have be competent with these matters.

Hobbyists and Developers who are looking such a platform should expect they are least technical to solving harder software problems then they are, and that’s worth paying the premium for.

May the 4th be with you.


In the email Heroku also says any API access tokens will be invalidated upon password reset so those have to be updated too! Not sure how much effort that requires but it doesn’t seem like it’s as easy as just changing a and having to think of a 16 minimum character password :$

NOTE: A password reset will also invalidate your API access tokens. As a result, any automations you’ve built to integrate with the Heroku Platform API that use these tokens may result in 403 forbidden errors . To avoid downtime you will need to re-enable direct authorizations by following the instructions here and update your integrations to use your newly generated token.


Minimum of 16 characters??

Do they not have any fraud screening or rate limiting on these things, 2FA on unknown devices or something?

I've had my same password forever (I'm old) on google without issue) that is scary short. However, when I login from a new device or every 30 days or go to an admin / security page it asks me to stick my yubico key into my computer. Works fine.

Is this same password used for high volume API stuff without anything else? Normally that's with an access token type system (at least on AWS). Those, yes, should be highly complex. The AWS access / secret key combo is ridiculous frankly in length (mixed case + numbers + symbols) * 40.


Minimum of 16 characters is great, especially for a service with technical users.

"Scary short" and "same password" are terrifying to read. Get a password manager (I recommend 1Password) and use it. My dad is 78 and uses a password manager -- so can you.

Regardless, stop reusing your password please! This is the most basic security measure possible.


Scary short is fine. 6 characters (case sensitive + 10 digits alone) = plenty of complexity if you are doing ANY type of intrusion detection.

Coupled with a Yubico and I feel pretty darn secure.

I don't re-use the password, because it doesn't rotate I can also remember it.


If we haven’t gotten an email, does that mean our account wasn’t part of the leak?

Was this a system wide event?

We have been on Heroku for ~5 years and the last 18 months have been far less reliable. Sad.


Well, this is just a big turn-off. GitLab did this to me recently, apparently for security purposes. However, someone changing my password for me is a mega breach in my security. GitLab lost my business because of this "security feature" or whatever. GitHub if you do this, I will self-host my code, and stop using your service. Other companies who market to Software Engineers, and security folk, should take heed.


I do want to say there are legitimate reasons to have your users have a forced reset. For example, you’re upgrading your encryption, you migrated to a new IAM system, you’re handling of UTF8 could have been wrong or your meeting a new compliance standard that requires stricter passwords. I don’t know what happened with GitLab, but a telltale sign it’s bad is if they do it for you and not on your next login.



"Passwords may not be duplicated across accounts"

hmm, how do they know if those passwords are same across accounts?

Either they save them in plaintext or they can't check if I have same password as some other account.


Earlier today I thought: ok, apparently I am not part of the "portion of users" but fast forward to a few hours later and I also got the email.


Closed my account, I hope my password didn't get leaked


Does it matter if the actual password is leaked in this day and age? I use a password manager and generate 64+ character passwords for each service.


in my personal opinion, 64 character passwords are overkill, and i absolutely refuse to put a password manager on a cellphone. That's just asking for trouble should i ever have my phone confiscated for any reason.

I use a private matrix server to send passwords from my laptop/desktop password managers to myself in E2EE channels, then delete the message. On occasion, if a password is only 18 or 20 characters (like an admin account or a single user service account) i'll type it by hand. And i use all lowercase "easy to say" passwords whenever possible. I do not believe (and never have) that adding an ampersand and a 7 to a password makes it more secure than adding "rb" to the end of a password.


> 64 character passwords are overkill

> i send E2EE passwords to my phone from my laptop or desktop using E2EE channels in a private matrix server i have and delete the messages immediately after


fair enough


Biggest problem is the API keys that were potentially/allegedly visible to a third-party or leaked. Depending on how far that goes back, if you don't have cold log storage you might not be aware of which exact keys are out there.


Heroku competitors are getting endless Christmas.


Interested. Can you list some ?


Aptible (though geared more towards Healthcare/Compliance space).

^ Note: I use to work for Aptible


Render

Porter


fly.io, render


+1 for fly - it's great.


If only any of them were even slightly competitive.


How are they not competitive?


They either always have some critical piece of functionality missing, or require much more configuration and hand holding than Heroku does. That's not to say they aren't useful, but for serious businesses it's hard to migrate without assuming you'll need a DevOps person to run it. Heroku on the other hand is so hands off, that you really don't need anyone specifically to manage it. We spend about $1,000/month for Heroku managing a SaaS app with 40,000 users and I have never had to tweak or configure Heroku beyond initial setup and then just scaling, which is literally just clicking a button.


I think you're seriously underestimating Heroku's competition here.


I'd actually love to be proven wrong here. I don't want to stay on Heroku, but I also don't see other viable options. My requirements are such that I cannot have a dedicated Cloud Engineer or DevOps person, and in reality, I want to spend 0 hours per week thinking about my cloud infrastructure. Heroku allows me to do that.


fly.io feature set and dx is great


fly.io looks OK feature-wise, but requires a credit card to do anything and there's no indication of how you can accidently exceed the free tier. That's a dealbreaker for me - I want to evaluate some PAAS offerings for a company, but it's a hassle to get authorization to use a company credit card, especially when I just want to kick the tyres.

Heroku, Render, Railway and most others let you at least run a toy app without needing a credit card, fly.io is doing themselves a disservice here.


Or they're separating themselves with their value proposition.


Maybe, but still it means I'll just pass on fly.io and go with render. Their feature set is not that compelling that I'll want to jump through hoops to get company authorization or have to deal with expenses to use my own card.


They are now also resetting integrations. I got notice that I need to re-add Slack integration.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: