Always interesting to me with events like this that the actions or intentions of the "threat actor" are never discussed. The conversation is always finding tiny holes in the victim's systems and admonishing them for not being prepared.
Actions other than... (1) obtained access to a Heroku database, (2) downloaded customer GitHub integration OAuth tokens, (3) enumerated metadata on customer repos with the OAuth tokens, (4) downloaded some Heroku private GitHub repos containing source code, and (5) exfiltrated customer hashed and salted passwords?
