"We had a chance to speak to Matt Manning who provided some clues to what may have led to his account being compromised.
'I probably hadn’t logged into the rubygems web UI since 2011/2012. I don’t know if they had 2fa back then, and I wasn’t disciplined about using a password manager then. I use 1password now, but that login was so old that I didn’t even have it in 1pass, so I didn’t catch it when I audited dupes, etc there. I probably haven’t pushed a public gem since 2014. I guess my api key was cached for that.'
Matt raises a point of interest in which we’ll dive into further later, but, its worth noting that he hadn’t pushed to a public gem since 2014. This long predates when 2FA was introduced to RubyGems, which was announced on this blog post November 2018 RubyGems Updates (rubygems.org) in 12/09/2018."
"We had a chance to speak to Matt Manning who provided some clues to what may have led to his account being compromised.
'I probably hadn’t logged into the rubygems web UI since 2011/2012. I don’t know if they had 2fa back then, and I wasn’t disciplined about using a password manager then. I use 1password now, but that login was so old that I didn’t even have it in 1pass, so I didn’t catch it when I audited dupes, etc there. I probably haven’t pushed a public gem since 2014. I guess my api key was cached for that.'
Matt raises a point of interest in which we’ll dive into further later, but, its worth noting that he hadn’t pushed to a public gem since 2014. This long predates when 2FA was introduced to RubyGems, which was announced on this blog post November 2018 RubyGems Updates (rubygems.org) in 12/09/2018."