I think (based on what I've read on the linked page) the notice was telling Heroku that "hey, someone used a compromised OAuth token to download your source code" not that "the tokens that you are using to read Github repositories of your users are compromised". Both are Github OAuth tokens, but playing different roles. Presumably the compromise of source code might have been used to help get access to the database that had the Github integration OAuth tokens, and realizing that might indeed have taken a couple days.