> and the threat actor did not access the encryption key necessary to decrypt config var secrets.
If the threat actor had access to any of the systems that use the key, they may not have needed to. Even this statement isn't clear that they couldn't have done it, but suggests that they don't think it's true...
If the threat actor had access to any of the systems that use the key, they may not have needed to. Even this statement isn't clear that they couldn't have done it, but suggests that they don't think it's true...
This is really bad incident response messaging.