top | item 20747283

(no title)

mwmanning | 6 years ago

Hey since this is blown up I just want to address it directly.

I take responsibility for what happened here. My RubyGems.org account was using an insecure, reused password that has leaked to the internet in other breaches.

I made that account probably over 10 years ago, so it predated my use of password managers and I haven't used it much lately, so I didn't catch it in a 1password audit or anything.

Sometimes we miss things despite our best efforts.

Rotate your passwords, kids.

discuss

donkeyd|6 years ago

Wow, that's a pretty well executed and possibly targeted attack then. It blows my mind how easy it can be to perform a high impact attack by abusing popular libraries. Hopefully this was caught before it got into production in high profile implementations.

mwmanning|6 years ago

Yeah I'm assuming the methodology is:

1) Find high-value target libraries

2) Grab the usernames of accounts with push access

3) Check those against password dumps

I feel really stupid about this, but like I said it was an oversight. I apologize and will try to do better.

dspillett|6 years ago

I doubt the initial attack was targetted. That would have been a brute force testing-known-passwords-against-similarly-named-accounts. Once a useful account was found it could well have been sold on the appropriate black market rather than the finder using it themselves.

vorpalhex|6 years ago

It can happen to us all.

tempguy9999|6 years ago

> I take responsibility for what happened here

that's.... rare. Well done.