@vishnudfx reported an issue where an unclaimed subdomain on Heroku could have been claimed by an attacker and used as a convincing phishing vector.