Re: SendGrid Security Breach - Action Required on Our Part?
Indubitably. Always pulling from config. I'm not as Semi-nube as I used to be. ;) On Tuesday, April 28, 2015 at 1:58:47 PM UTC-7, Robbie wrote: However it should be noted that if you've hard copied these values anywhere in your app those won't be updated. As a general practice you shouldn't do that and you should always pull them where possible from config. On Tue, Apr 28, 2015 at 1:57 PM, Robbie Thng rob...@heroku.com javascript: wrote: Yes, the config vars defined in their docs ( https://devcenter.heroku.com/articles/sendgrid) are the ones they have the power to rotate. On Tue, Apr 28, 2015 at 1:37 PM, semi-nube mysmile...@gmail.com javascript: wrote: That's good to know. Is it safe to assume Heroku will update our SendGrid password stored in our apps' config variables for us, then? Thanks. On Tuesday, April 28, 2015 at 1:24:56 PM UTC-7, Robbie wrote: Hi, We've been talking with Sendgrid about this since we found out. Part of using the add-on integration with Heroku means that the vendor (in this case Sendgrid) are able to rotate the credentials on user apps without informing the user if required, this would mean very little chance of downtime for your app and a quick resolution with little worry. Sendgrid did not do this instantly due to further investigation on their side, we have spoken to them this morning and they have assured us that they will carry out the cred roll soon. We expect them to fulfill this and if it is not done within a timely manner, or to a standard that we require to assure us of customer protection then we will reach out to customers separately. On Tue, Apr 28, 2015 at 11:49 AM, semi-nube mysmile...@gmail.com wrote: According to SendGrid's blog post here https://sendgrid.com/blog/update-on-security-incident-and-additional-security-measures/?utm_content=buffer88081utm_medium=socialutm_source=twitter.comutm_campaign=buffer, users should reset their passwords due to a recent security breach where a SendGrid employee’s account had been compromised by a cyber criminal and used to access several of our internal systems on three separate dates in February and March 2015. ...and from their status page: If you have an account through one of our reseller partners, look for specific communication from that partner. Many partners like Heroku, Appdirect, Engineyard and Softlayer will make the update seamlessly on your behalf. I see no mention of this on the Heroku blog. What's the status of this situation at Heroku? -- -- You received this message because you are subscribed to the Google Groups Heroku group. To unsubscribe from this group, send email to heroku+un...@googlegroups.com For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups Heroku Community group. To unsubscribe from this group and stop receiving emails from it, send an email to heroku+un...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- -- You received this message because you are subscribed to the Google Groups Heroku group. To unsubscribe from this group, send email to heroku+un...@googlegroups.com javascript: For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups Heroku Community group. To unsubscribe from this group and stop receiving emails from it, send an email to heroku+un...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- -- You received this message because you are subscribed to the Google Groups Heroku group. To unsubscribe from this group, send email to heroku+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups Heroku Community group. To unsubscribe from this group and stop receiving emails from it, send an email to heroku+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: SendGrid Security Breach - Action Required on Our Part?
However it should be noted that if you've hard copied these values anywhere in your app those won't be updated. As a general practice you shouldn't do that and you should always pull them where possible from config. On Tue, Apr 28, 2015 at 1:57 PM, Robbie Thng rob...@heroku.com wrote: Yes, the config vars defined in their docs ( https://devcenter.heroku.com/articles/sendgrid) are the ones they have the power to rotate. On Tue, Apr 28, 2015 at 1:37 PM, semi-nube mysmilecent...@gmail.com wrote: That's good to know. Is it safe to assume Heroku will update our SendGrid password stored in our apps' config variables for us, then? Thanks. On Tuesday, April 28, 2015 at 1:24:56 PM UTC-7, Robbie wrote: Hi, We've been talking with Sendgrid about this since we found out. Part of using the add-on integration with Heroku means that the vendor (in this case Sendgrid) are able to rotate the credentials on user apps without informing the user if required, this would mean very little chance of downtime for your app and a quick resolution with little worry. Sendgrid did not do this instantly due to further investigation on their side, we have spoken to them this morning and they have assured us that they will carry out the cred roll soon. We expect them to fulfill this and if it is not done within a timely manner, or to a standard that we require to assure us of customer protection then we will reach out to customers separately. On Tue, Apr 28, 2015 at 11:49 AM, semi-nube mysmile...@gmail.com wrote: According to SendGrid's blog post here https://sendgrid.com/blog/update-on-security-incident-and-additional-security-measures/?utm_content=buffer88081utm_medium=socialutm_source=twitter.comutm_campaign=buffer, users should reset their passwords due to a recent security breach where a SendGrid employee’s account had been compromised by a cyber criminal and used to access several of our internal systems on three separate dates in February and March 2015. ...and from their status page: If you have an account through one of our reseller partners, look for specific communication from that partner. Many partners like Heroku, Appdirect, Engineyard and Softlayer will make the update seamlessly on your behalf. I see no mention of this on the Heroku blog. What's the status of this situation at Heroku? -- -- You received this message because you are subscribed to the Google Groups Heroku group. To unsubscribe from this group, send email to heroku+un...@googlegroups.com For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups Heroku Community group. To unsubscribe from this group and stop receiving emails from it, send an email to heroku+un...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- -- You received this message because you are subscribed to the Google Groups Heroku group. To unsubscribe from this group, send email to heroku+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups Heroku Community group. To unsubscribe from this group and stop receiving emails from it, send an email to heroku+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- -- You received this message because you are subscribed to the Google Groups Heroku group. To unsubscribe from this group, send email to heroku+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups Heroku Community group. To unsubscribe from this group and stop receiving emails from it, send an email to heroku+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: SendGrid Security Breach - Action Required on Our Part?
Hi, We've been talking with Sendgrid about this since we found out. Part of using the add-on integration with Heroku means that the vendor (in this case Sendgrid) are able to rotate the credentials on user apps without informing the user if required, this would mean very little chance of downtime for your app and a quick resolution with little worry. Sendgrid did not do this instantly due to further investigation on their side, we have spoken to them this morning and they have assured us that they will carry out the cred roll soon. We expect them to fulfill this and if it is not done within a timely manner, or to a standard that we require to assure us of customer protection then we will reach out to customers separately. On Tue, Apr 28, 2015 at 11:49 AM, semi-nube mysmilecent...@gmail.com wrote: According to SendGrid's blog post here https://sendgrid.com/blog/update-on-security-incident-and-additional-security-measures/?utm_content=buffer88081utm_medium=socialutm_source=twitter.comutm_campaign=buffer, users should reset their passwords due to a recent security breach where a SendGrid employee’s account had been compromised by a cyber criminal and used to access several of our internal systems on three separate dates in February and March 2015. ...and from their status page: If you have an account through one of our reseller partners, look for specific communication from that partner. Many partners like Heroku, Appdirect, Engineyard and Softlayer will make the update seamlessly on your behalf. I see no mention of this on the Heroku blog. What's the status of this situation at Heroku? -- -- You received this message because you are subscribed to the Google Groups Heroku group. To unsubscribe from this group, send email to heroku+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups Heroku Community group. To unsubscribe from this group and stop receiving emails from it, send an email to heroku+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- -- You received this message because you are subscribed to the Google Groups Heroku group. To unsubscribe from this group, send email to heroku+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups Heroku Community group. To unsubscribe from this group and stop receiving emails from it, send an email to heroku+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: SendGrid Security Breach - Action Required on Our Part?
That's good to know. Is it safe to assume Heroku will update our SendGrid password stored in our apps' config variables for us, then? Thanks. On Tuesday, April 28, 2015 at 1:24:56 PM UTC-7, Robbie wrote: Hi, We've been talking with Sendgrid about this since we found out. Part of using the add-on integration with Heroku means that the vendor (in this case Sendgrid) are able to rotate the credentials on user apps without informing the user if required, this would mean very little chance of downtime for your app and a quick resolution with little worry. Sendgrid did not do this instantly due to further investigation on their side, we have spoken to them this morning and they have assured us that they will carry out the cred roll soon. We expect them to fulfill this and if it is not done within a timely manner, or to a standard that we require to assure us of customer protection then we will reach out to customers separately. On Tue, Apr 28, 2015 at 11:49 AM, semi-nube mysmile...@gmail.com javascript: wrote: According to SendGrid's blog post here https://sendgrid.com/blog/update-on-security-incident-and-additional-security-measures/?utm_content=buffer88081utm_medium=socialutm_source=twitter.comutm_campaign=buffer, users should reset their passwords due to a recent security breach where a SendGrid employee’s account had been compromised by a cyber criminal and used to access several of our internal systems on three separate dates in February and March 2015. ...and from their status page: If you have an account through one of our reseller partners, look for specific communication from that partner. Many partners like Heroku, Appdirect, Engineyard and Softlayer will make the update seamlessly on your behalf. I see no mention of this on the Heroku blog. What's the status of this situation at Heroku? -- -- You received this message because you are subscribed to the Google Groups Heroku group. To unsubscribe from this group, send email to heroku+un...@googlegroups.com javascript: For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups Heroku Community group. To unsubscribe from this group and stop receiving emails from it, send an email to heroku+un...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- -- You received this message because you are subscribed to the Google Groups Heroku group. To unsubscribe from this group, send email to heroku+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups Heroku Community group. To unsubscribe from this group and stop receiving emails from it, send an email to heroku+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: SendGrid Security Breach - Action Required on Our Part?
I thought that said nude, so that's significantly less worrying. On Tue, Apr 28, 2015 at 2:01 PM, semi-nube mysmilecent...@gmail.com wrote: Indubitably. Always pulling from config. I'm not as Semi-nube as I used to be. ;) On Tuesday, April 28, 2015 at 1:58:47 PM UTC-7, Robbie wrote: However it should be noted that if you've hard copied these values anywhere in your app those won't be updated. As a general practice you shouldn't do that and you should always pull them where possible from config. On Tue, Apr 28, 2015 at 1:57 PM, Robbie Thng rob...@heroku.com wrote: Yes, the config vars defined in their docs ( https://devcenter.heroku.com/articles/sendgrid) are the ones they have the power to rotate. On Tue, Apr 28, 2015 at 1:37 PM, semi-nube mysmile...@gmail.com wrote: That's good to know. Is it safe to assume Heroku will update our SendGrid password stored in our apps' config variables for us, then? Thanks. On Tuesday, April 28, 2015 at 1:24:56 PM UTC-7, Robbie wrote: Hi, We've been talking with Sendgrid about this since we found out. Part of using the add-on integration with Heroku means that the vendor (in this case Sendgrid) are able to rotate the credentials on user apps without informing the user if required, this would mean very little chance of downtime for your app and a quick resolution with little worry. Sendgrid did not do this instantly due to further investigation on their side, we have spoken to them this morning and they have assured us that they will carry out the cred roll soon. We expect them to fulfill this and if it is not done within a timely manner, or to a standard that we require to assure us of customer protection then we will reach out to customers separately. On Tue, Apr 28, 2015 at 11:49 AM, semi-nube mysmile...@gmail.com wrote: According to SendGrid's blog post here https://sendgrid.com/blog/update-on-security-incident-and-additional-security-measures/?utm_content=buffer88081utm_medium=socialutm_source=twitter.comutm_campaign=buffer, users should reset their passwords due to a recent security breach where a SendGrid employee’s account had been compromised by a cyber criminal and used to access several of our internal systems on three separate dates in February and March 2015. ...and from their status page: If you have an account through one of our reseller partners, look for specific communication from that partner. Many partners like Heroku, Appdirect, Engineyard and Softlayer will make the update seamlessly on your behalf. I see no mention of this on the Heroku blog. What's the status of this situation at Heroku? -- -- You received this message because you are subscribed to the Google Groups Heroku group. To unsubscribe from this group, send email to heroku+un...@googlegroups.com For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups Heroku Community group. To unsubscribe from this group and stop receiving emails from it, send an email to heroku+un...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- -- You received this message because you are subscribed to the Google Groups Heroku group. To unsubscribe from this group, send email to heroku+un...@googlegroups.com For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups Heroku Community group. To unsubscribe from this group and stop receiving emails from it, send an email to heroku+un...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- -- You received this message because you are subscribed to the Google Groups Heroku group. To unsubscribe from this group, send email to heroku+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups Heroku Community group. To unsubscribe from this group and stop receiving emails from it, send an email to heroku+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- -- You received this message because you are subscribed to the Google Groups Heroku group. To unsubscribe from this group, send email to heroku+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups Heroku Community group. To unsubscribe from this group and stop receiving emails from it, send an email to heroku+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: SendGrid Security Breach - Action Required on Our Part?
Yes, the config vars defined in their docs ( https://devcenter.heroku.com/articles/sendgrid) are the ones they have the power to rotate. On Tue, Apr 28, 2015 at 1:37 PM, semi-nube mysmilecent...@gmail.com wrote: That's good to know. Is it safe to assume Heroku will update our SendGrid password stored in our apps' config variables for us, then? Thanks. On Tuesday, April 28, 2015 at 1:24:56 PM UTC-7, Robbie wrote: Hi, We've been talking with Sendgrid about this since we found out. Part of using the add-on integration with Heroku means that the vendor (in this case Sendgrid) are able to rotate the credentials on user apps without informing the user if required, this would mean very little chance of downtime for your app and a quick resolution with little worry. Sendgrid did not do this instantly due to further investigation on their side, we have spoken to them this morning and they have assured us that they will carry out the cred roll soon. We expect them to fulfill this and if it is not done within a timely manner, or to a standard that we require to assure us of customer protection then we will reach out to customers separately. On Tue, Apr 28, 2015 at 11:49 AM, semi-nube mysmile...@gmail.com wrote: According to SendGrid's blog post here https://sendgrid.com/blog/update-on-security-incident-and-additional-security-measures/?utm_content=buffer88081utm_medium=socialutm_source=twitter.comutm_campaign=buffer, users should reset their passwords due to a recent security breach where a SendGrid employee’s account had been compromised by a cyber criminal and used to access several of our internal systems on three separate dates in February and March 2015. ...and from their status page: If you have an account through one of our reseller partners, look for specific communication from that partner. Many partners like Heroku, Appdirect, Engineyard and Softlayer will make the update seamlessly on your behalf. I see no mention of this on the Heroku blog. What's the status of this situation at Heroku? -- -- You received this message because you are subscribed to the Google Groups Heroku group. To unsubscribe from this group, send email to heroku+un...@googlegroups.com For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups Heroku Community group. To unsubscribe from this group and stop receiving emails from it, send an email to heroku+un...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- -- You received this message because you are subscribed to the Google Groups Heroku group. To unsubscribe from this group, send email to heroku+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups Heroku Community group. To unsubscribe from this group and stop receiving emails from it, send an email to heroku+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- -- You received this message because you are subscribed to the Google Groups Heroku group. To unsubscribe from this group, send email to heroku+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups Heroku Community group. To unsubscribe from this group and stop receiving emails from it, send an email to heroku+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
