Why are environment variables safe after 2022 Heroku breach?
In their communication about the april 2022 breach (summary here), Heroku states that environment variables (other than Review apps and CI variables) were safe because they are encrypted at rest.
We also wanted to address a question regarding impact to environment variables. While we confirmed that the threat actor had access to encrypted Heroku customer secrets stored in config var, the secrets are encrypted at rest and the threat actor did not access the encryption key necessary to decrypt config var secrets.
I wonder what prevents the hacker who could download them, to try many random decryption keys for the DATABASE_URL environment variable for example, until it decrypts to something that starts with postgres, and then they would have found the key. Once they have the key, they can decrypt everything else.
What am I missing here?
