We have concluded our investigation and want to provide our customers with an overview of the threat actor’s actions, direct mitigations we have taken because of this incident, and additional changes we will make in the face of a continually evolving threat landscape. Our incident summary outlines what we have learned during the course of our investigation starting on April 13, 2022, and ending May 30, 2022. This incident summary and numerous actions we’ve taken to add to our overall security posture is part of our ongoing commitment to maintain your trust.

On April 13, 2022, GitHub notified Salesforce of a potential security issue, kicking off our investigation into this incident. Less...


[Update: May 25, 2022 - GitHub integration is now re-enabled. You can connect to GitHub immediately or wait for the enhanced integration as described below. To re-establish your GitHub connection now, please follow these instructions.]

We know you are waiting for us to re-enable our integration with GitHub, and we've committed to you that we would only do so following a security review. We are happy to report that the review has now been completed.

One of the areas of focus was a review of the scope of tokens we request from GitHub and store on your behalf. Currently, when you authenticate with GitHub using OAuth, we request repo scope. The repo scope gives us the necessary...


I started as Heroku GM a few weeks ago with intense enthusiasm to be a part of such a storied team. As you might expect, the last few weeks have not been what I would have imagined. But, contrary to what you might expect, I’m energized.

I’ve been deeply impressed by the skills and dedication of the Heroku team, and the commitment of Salesforce to Trust as our #1 value. I’m also energized because it is clear that the Heroku team does not stand alone inside Salesforce. To respond to this incident, Salesforce colleagues from around the company have augmented the Heroku team in every way possible. The Heroku team and their colleagues have worked around the clock, including nights and...


We launched Salesforce Functions last fall and the response so far has been terrific. While the most obvious use cases for functions are stateless processing of data, there are many examples of business processes that can take advantage of the simplified operating model of functions, but require some persistent state to span function invocations.

Today, we’re happy to tell you that we’ve added a new feature that enables stateful function invocation using Heroku Data products. It’s a simple feature that lets your functions securely access Heroku Data products, including Heroku Postgres, Heroku Kafka, and Heroku Redis directly from your function.

Access to Heroku Data is enabled through ...


At Salesforce, we strive to balance the security of your data and apps with an efficient and enjoyable user experience. Last year, we shortened login sessions for the Heroku Dashboard to 12 hours to improve security. Starting today, users can stay logged in for up to 24 hours. Even better, if you have multi-factor authentication (MFA) enabled and use the Heroku Dashboard daily, your session can be extended up to 10 days before you need to log in again. If you are idle on the Dashboard for more than 24 hours, you must re-authenticate. SSO-enabled users were not impacted by these changes and will continue to log in through their identity provider every 8 hours.

We've learned a lot on...


Browse the archives for news or all blogs Subscribe to the RSS feed for news or all blogs.