Actions other than... (1) obtained access to a Heroku database, (2) downloaded customer GitHub integration OAuth tokens, (3) enumerated metadata on customer repos with the OAuth tokens, (4) downloaded some Heroku private GitHub repos containing source code, and (5) exfiltrated customer hashed and salted passwords?