Hey since this is blown up I just want to address it directly.
I take responsibility for what happened here. My RubyGems.org account was using an insecure, reused password that has leaked to the internet in other breaches.
I made that account probably over 10 years ago, so it predated my use of password managers and I haven't used it much lately, so I didn't catch it in a 1password audit or anything.
Sometimes we miss things despite our best efforts.
Wow, that's a pretty well executed and possibly targeted attack then. It blows my mind how easy it can be to perform a high impact attack by abusing popular libraries. Hopefully this was caught before it got into production in high profile implementations.
Sounds like rubygems and other registries like npm should try to get ahold of those password dumps and check them against their own account databases somewhat frequently!
If you find a reused password, how do you let the user know though? If I got a "your account is vulnerable" message I'd ignore it as junk like all the other ones I get pretty much daily. You could force a change next time the user logs to your interactive interface, but many users won't do that for some time.
The best approach is probably to disable the account completely until an interactive login is made and a password reset can be forced but some would be up in arms about the inconvenience caused: you can't just allow a simple reset as the login could be coming from an attacker not the original user, an extra channel will need to be used to verify the identity. You might just have to leave the account locked forever and expect the user to create a new one - but now you have the old account and its content which may be used as a dependency of many projects which now break, unnecessarily if there hasn't been a login by a nefarious type.
You could send that notification, invalidate any client tokens, and also disable the compromised password forcing the user to re-authenticate through their email address, a-la password reset, and I guess also verify they aren't using the same password again.
You wouldn't lock the account forever, the point is to establish that the person whose password was compromised knows, that the password is not the only factor which is used to regain access to the account, and to ensure that your service (rubygems) and its downstream users are not compromised as well as a result of the breach.
Any groaning about the inconvenience caused by disabling account access until the password is changed, can be simply shrugged away in favor of security concerns, with a link to this story about rest-client.
By the time you have learned the user's plaintext password, their account may already have been compromised. There's a case to make that you disable all downloads of any gems that might be compromised from the account until you've verified they aren't. That might be over the top, especially for popular projects as now we are talking serious inconvenience affecting potentially thousands or more of downstreams.
It's a sticky situation, since you don't really know how long that password has been in the open for hackers to use and abuse once you've discovered it in a password dump.
Heroku did this about a year ago. They have a list of known pwned passwords (probably haveibeenpwned, but honestly I'm not sure), and disallow accounts to use those passwords. When that change was implemented, any account using a pwned password had that password expired.
If a gem maintainer is re-using a known-compromised password they have absolutely zero right to be annoyed at the "inconvenience" of having to reset their password to something that isn't compromised.
RubyGems has a responsibility to its users and community here. It (like npm) needs to take this stuff seriously.
Presumably you'd use whatever procedure you use for a lost password?
But simply forcing a password change at the next login after detecting an insecure password would not unduly burden anyone and would be better than doing nothing.
Glassdoor emailed me this week with such an email. We found that your password was leaked, we have disabled your account and signed you out of all devices, you need to create a new password to login.
The salts should be different for each user, specifically to deter brute forcing of this nature.
The only time you would have access is when the user logs in, so for rarely logged in users you would have to proactively reset their password or cross your fingers.
Hopefully you don't transmit the password and are doing challenge/response so that you don't even have it when the user logs in.
But even with 12 round bcrypt hashing, you should be able to fairly cheaply attack a list of 2,000 bcrypted passwords with a million-entry database of leaked e-mail/password combos in a GPU-month.
Probably easier to force a password reset on everyone and then do the checking on password change, although you need to be careful there not to be sending the password.
EDIT: uhm, wait, so if you've got the e-mail address in the dump then there's only one user for that, so just grab their salt and hash the password and check it. So that million entry database should be checkable in a bit over half an hour...
It happens. You've taken reasonable precautions to safeguard your online identity, which is all one can really ask. Sometimes things slip through the cracks. The hacker is to blame, not you.
The larger question is about if gem/npm/cargo-style package managers are such a terrific idea in the long run. The security implications are pretty serious.
I doubt the initial attack was targetted. That would have been a brute force testing-known-passwords-against-similarly-named-accounts. Once a useful account was found it could well have been sold on the appropriate black market rather than the finder using it themselves.
The base cost for a rack is about $85/mo. Convox is extremely cost effective for small businesses and up, but would be expensive for running a single, low-traffic hobby app.
That's exactly the etymology. We were thinking about datacenters and servers. The original name was convox/kernel, but we thought it wasn't very descriptive.
The naming collision with the Ruby interface is unfortunate, but we figured it was pretty easy to tell them apart from context.
What's Convox's business/funding model? Not skeptical, just genuinely curious and can't tell from browsing the site. Also, what are your other offerings? If everything between AWS and my site is free, what else is there to offer?
We were in the Summer 2015 YC batch and we've taken some VC funding.
Our other main offering is a web console for managing your team's access to rack(s) and integrations with 3rd party services. https://console.convox.com We charge a subscription fee for that and we also sell support and services packages.
Yeah I was looking at kind of making a heroku setup on my servers sorta like Dokku, but I'm not a real big fan of Dokku. And I wanted to use CoreOS and Docker, but I realized that I can't just include all possible programming languages into a container to be built. So I've opted out of that and just build custom containers based on the app I am deploying.
2) We're working on an RDS provisioning service today and hope to release something this weekend. We're also in early talks with other addon (we call them "services") providers. For now if you want to use one of these services you can connect to them using environment variables. http://docs.convox.com/docs/environment-variables/
3) Our RDS service will eventually handle backups and recovery, but those features aren't implemented yet. We're also exploring partnering with other hosted database services that already have these features.
4) Convox is open source https://github.com/convox and totally free. You can use it however you want and you only have to pay for the AWS expenses. We're also experimenting with managed hosting, which we'll charge a small premium for, so please let me know if you're interested in that.
You could run Wordpress today, afaik. Anything that can run in a Docker container can run on on Convox. You'd just need to use some sort of hosted database service like Amazon RDS to persist your data.
edit: Just looked at Wordpress a little closer. I didn't realize it expects a persistent filesystem, which I guess is what you're asking about. Convox follows the 12factor.net philosophy of ephemeral filesystems, so you'd need to figure out a way to persist files to S3 or similar...
I take responsibility for what happened here. My RubyGems.org account was using an insecure, reused password that has leaked to the internet in other breaches.
I made that account probably over 10 years ago, so it predated my use of password managers and I haven't used it much lately, so I didn't catch it in a 1password audit or anything.
Sometimes we miss things despite our best efforts.
Rotate your passwords, kids.