I should've said "hashed" not encrypted passwords. But the env vars are the real problem. They haven't categorically dismissed the hacker somehow getting access to the actual environment variables either. Only said there isn't evidence of that happening.
If it comes out that the hacker did get to unencrypted env vars I think it's game over for Heroku. Nobody should trust them with sensitive data.
WTF!!!!
That alone is disastrous enough, they should be reprimanded for this. Are there I'm sure, class action lawsuits happening?
How much of an impact will this have on Salesforce? I mean imagine the data from that alone would be immensely valuable.