As of now, we have no reason to believe we were affected by this incident. We'll continue to monitor it and post any updates here.
Posted Apr 18, 2022 - 21:23 UTC
Update
We are continuing to monitor the situation. We haven't received any indication from Github that we were affected.
Posted Apr 17, 2022 - 12:46 UTC
Update
We are almost done rotating all of our security keys. We are waiting on one rotation where we opened a support request with the vendor about (overall low risk). None of these keys were ever stored in source control but until we know the blast radius of this incident we'll take every precaution we can.
We haven't received an email from Github definitively stating we were affected, though they said it could take 72 hours to receive one. We'll update this thread when we find out more.
Some additional details about this incident: We learned about the Heroku breach last night over email (12am ET). We immediately followed Heroku's directions of disabling the Heroku/Github integration. We also checked Github's Security Logs and didn't see any suspicious activity. We deemed the immediate risk to be low especially since we never stored any credentials in git.
This morning, we investigated the incident further and read anecdotes from developers who had their private Github repositories compromised. Their stories made us less confident that the security logs we checked last night accurately answer "Were we affected or not?". We are currently on high alert and responding accordingly.
Posted Apr 16, 2022 - 18:41 UTC
Investigating
We don't have evidence that we have been affected yet. Until we know for sure, we'll act like we have been:
1. We checked there are no and never have been any secrets committed to git 2. We're rotating credentials out of caution 3. We're temporarily removing non-critical Heroku add-ons/integrations 4. We're prioritizing any outstanding security bugs
Customers on Heroku: Please make sure you don't have any API keys committed to source control. Contact us immediately (security@pdfotter.com) if you want to rotate your PDF Otter api key and we'll walk you through it.