Woah. https://substack.com/app-link/post?publication_id=458709&post_id=68974559

I talked with people at GitHub at the time who told me that, after getting more details from Heroku, the GitHub security team assessed Heroku as a major security risk due to the responses from the Heroku security team. GitHub immediately instructed the use of any Heroku products within its business to stop, and for staff to assume a full compromise on all Heroku keys. Some smaller sites were running on Heroku at the time, and they were turned off, with the secrets and passwords not reused elsewhere.