Issue
A subdomain takeover occurs when an attacker gains control of a target domain. Typically, takeovers happen when an application is deprecated, but its old URL remains active and can still receive traffic from legacy users. An attacker can create an app at that URL and intercept the traffic and provide their own content. This can lead to phishing attacks, cookie theft, and bypassing OAuth allowlisting. You want to prevent this from happening with your app.
Resolution
On June 14, 2023, Heroku will start appending 12-character random identifiers to subdomains to prevent domains from being taken over after renaming or deleting apps. The URL format is APPNAME-IDENTIFIER.herokuapp.com. While you can't enable this on apps created prior to that date, any apps created after that date automatically mitigate subdomain reuse. The random identifier is not a part of the app name.
See the Dev Center for more info about app names and subdomains.