> We also wanted to address a question regarding impact to environment variables. While we confirmed that the threat actor had access to encrypted Heroku customer secrets stored in config var, the secrets are encrypted at rest and the threat actor did not access the encryption key necessary to decrypt config var secrets.
Where do I find those notifications? I only got a single email, stating I should "reset my user password as mentioned in our previous notification". Nothing prior, nothing since, and their password reset form shows nothing but "Internal Server Error". I've been getting some details from HN but I think I'm missing a lot of the picture since they obviously don't send everyone every email.
> and the threat actor did not access the encryption key necessary to decrypt config var secrets.
If the threat actor had access to any of the systems that use the key, they may not have needed to. Even this statement isn't clear that they couldn't have done it, but suggests that they don't think it's true...
> We also wanted to address a question regarding impact to environment variables. While we confirmed that the threat actor had access to encrypted Heroku customer secrets stored in config var, the secrets are encrypted at rest and the threat actor did not access the encryption key necessary to decrypt config var secrets.