Just received this email from Heroku. Given the timeline it seems like the breach is pretty serious.
"As part of our efforts to enhance our security and in response to an incident published on status.heroku.com, we wanted to inform you that we will begin resetting user account passwords on May 4, 2022. We recommend that you reset your user account password in advance here and follow the best practices below:
Minimum of 16 characters
Minimum complexity of 3 out of 4: Uppercase, Lowercase, Numeric, Symbol
Don't just add a letter or a 1 digit number to the existing password while changing
Passwords may not be duplicated across accounts
If you do not reset your password and your user account password is reset by Heroku on May 4, 2022, your existing password will no longer work. To log in to Heroku, you must reset your password by accessing the Heroku login page and clicking the "Forgot your password?" link . Please be aware that you may be required to reset your passwords again in the future. "
For those of you that haven't been following, Heroku has been adding non-update updates to this security thread over the last couple of weeks, which began with the announcement that some (or maybe all) of their GitHub granted access tokens had been compromised: https://status.heroku.com/incidents/2413
Now, weeks later, we're hearing that all account passwords are being reset, and for some reason if you have been using an HTTPS-style log drain that you should reset any secrets related to it as well.
Heroku needs to come out and clearly state what they know about this situation, and more importantly what they don't know -- which is starting to sound like the answer is "a lot". It's not even clear they know how this all happened -- whatever door was left open might still be open. So if you've gone and rotated all of your application secrets (which you probably should do), be prepared to rotate them again when this is all over.