I started as Heroku GM a few weeks ago with intense enthusiasm to be a part of such a storied team. As you might expect, the last few weeks have not been what I would have imagined. But, contrary to what you might expect, I’m energized.
I’ve been deeply impressed by the skills and dedication of the Heroku team, and the commitment of Salesforce to Trust as our #1 value. I’m also energized because it is clear that the Heroku team does not stand alone inside Salesforce. To respond to this incident, Salesforce colleagues from around the company have augmented the Heroku team in every way possible. The Heroku team and their colleagues have worked around the clock, including nights and weekends. It’s often during a crisis when a team really comes together, and it has been inspiring to see that happen here.
Based on our investigation to date, and the hard work of our team, supported by a third-party security vendor, and our extensive threat detection systems, we have no evidence of any unauthorized access to Heroku systems since April 14, 2022. We continue to closely monitor our systems and continually improve our detection and security controls to prevent future attempts. Additionally, we have no evidence that the attacker has accessed any customer accounts or decrypted customers’ environment variables.
We’ve heard your feedback on our communications during this incident. You want more transparency, more in-depth information, and fewer “we are working on it” posts. It is a hard balance to strike. While we strive to be transparent, we also have to ensure we are not putting our customers at risk during an active investigation. Our status post on May 5, 2022, was part of our effort to get the balance right. Based on your feedback, we are going to start publishing only when we have new relevant information to share. Once the incident is resolved, we will publish details regarding the incident to provide a more complete picture of the attacker’s actions.
We know that the integration between Heroku and GitHub is part of the magic of using Heroku. We heard loud and clear that you are frustrated by how long it has taken us to re-enable the GitHub integration that simplifies your deployment workflows. We hope to reinstate the integration in the next several weeks, but we will only do that when we are sure that integration is safe and secure for our customers. Until then, please rely on git push heroku
or one of the alternative approaches that utilize our Platform API. As we progress through our response, we will provide updates as they are available.
We can be better, and we will be. In the course of responding to this incident, we have significantly added to our overall security posture. We will work to rebuild your trust through more meaningful communications and bringing the integration with GitHub back online.
I have a lifelong enthusiasm for developers and the experience they have building software together, and I could not be more thrilled to be part of the Heroku family as we chart our course in the coming years. If you would like to offer me feedback directly, please contact me here: www.linkedin.com/in/bobwise
Revised on May 10, 2022, with updated links to documentation for GitHub integration and temporary alternatives.