Heroku breach security tasks [Meta]

[maxwofford]

Context: https://status.heroku.com/incidents/2413?updated

If you know a repo should be added, please include it to the list! Hack Club is a big place with a lot of deployed stuff, so extra hands on this helps.

This ticket is a meta issue to track what we need to do across all our repos that were deployed to Heroku. The following is a list of repos that should have a ticket for this incident (ie, hackclub/toriel will have a ticket for rotating slack API credentials). Once the ticket is created and linked here, the repo can be checked off the list:

• hackclub/toriel Rotate all API keys after Heroku security breach toriel#45
• hackclub/bank https://github.com/hackclub/bank/issues/2538
  • Tangentially related: https://github.com/hackclub/bank/issues/2541
• hackclub/orpheus Rotate all API keys after Heroku security breach orpheus-bot#67
• hackclub/clippy Rotate all API keys after Heroku security breach clippy#50
• hackclub/bucky (cc @zachlatta)
• hackclub/api Rotate all API keys after Heroku security breach api#470
• hackclub/airbridge
• hackclub/slash-z Rotate all API keys after Heroku security breach slash-z#57
• hackclub/hack.af Rotating keys, post-Heroku breach hack.af#28
• maxwofford/mail-dog
• hackclub/cow
• hackclub/lino Heroku breach follow-up tasks lino#5
• hackclub/github-oauth Rotate API keys after Heroku security breach github-oauth#13
• Hugoyhu/mailcorgiJS
• hackclub/mfa Rotate API keys after Heroku security breach mfa#4

[maxwofford]

There isn't a good way to link to a specific update on https://status.heroku.com/incidents/2413?updated, but they just posted their May 7, 2022 00:29 UTC update that mentions the db holding env variables was accessed, the decryption for that db wasn't accessed.