Did you know that by default databases on Heroku are open to the world and anyone can connect to them?
They explain this in https://help.heroku.com/QVRZIEAH/why-am-i-seeing-connection-errors-for-my-heroku-postgres-database-from-an-unexpected-ip-address-what-are-these-unauthorized-connection-attempts.
This would be okayish if those log attempts would not count against the logging add-ons and even their internal logging limit. So what happens if someone tries to brute force the DB instance?
First logs get dropped as Heroku Logplex starts dropping all logs once it becomes too much to even show them(https://i.imgur.com/cvpHcwi.png), second if you have a logging addon you most likely lost valuable logs (let's hope you are not storing them for compliance) and you have to upgrade to a higher plan just to have them processed, ignoring that some of them won't even get logged.
Support says this is not abuse, they won't block offending IPs and that one should upgrade to private space which costs 6x more.
Tell me if this is ok practice, I don't think it is?
