Rollbar and similar (Logz.io, Datadog, New Relic, etc) are such honeypots - JACKPOTS - for anyone capable of harpooning their way in that I'm surprised they aren't targeted more frequently.

Unless they are.

Not really my wheelhouse.

It looks like every project by default has a standing token with read privileges. It never expires and its not opt-in. Unless I’m missing something, that seems ridiculous.

The wording is concerning, the “including” suggests the breach could be wider.

I’d like to see a more explicit statement that lets us know things like GitHub credentials for source code integration have not been compromised.

“our initial forensic research indicates the unauthorized party accessed data about your account, including:

Rollbar usernames and user email addresses Account names Project and environment names Project access tokens Project service link configuration”

Hi, Brian from Rollbar here. We believe that the items listed comprise the entirety of the scope. We will be able to state definitively once forensic analysis is complete.

GitHub tokens are not exposed. More specifically: customer credentials stored for third party integrations (i.e. GitHub, Slack, JIRA) are stored encrypted using a key that is not stored in the database, so those are not exposed.

Thank you for the clarification.

I think you are saying the attacker did or could have aquired the encrypted customer credentials but not the decryption key.

If that is the case could provide some more detail about the type of encryption to reassure us that it can not be brute forced.