Hey since this is blown up I just want to address it directly.
I take responsibility for what happened here. My RubyGems.org account was using an insecure, reused password that has leaked to the internet in other breaches.
I made that account probably over 10 years ago, so it predated my use of password managers and I haven't used it much lately, so I didn't catch it in a 1password audit or anything.
Sometimes we miss things despite our best efforts.
The base cost for a rack is about $85/mo. Convox is extremely cost effective for small businesses and up, but would be expensive for running a single, low-traffic hobby app.
We were in the Summer 2015 YC batch and we've taken some VC funding.
Our other main offering is a web console for managing your team's access to rack(s) and integrations with 3rd party services. https://console.convox.com We charge a subscription fee for that and we also sell support and services packages.
That's exactly the etymology. We were thinking about datacenters and servers. The original name was convox/kernel, but we thought it wasn't very descriptive.
The naming collision with the Ruby interface is unfortunate, but we figured it was pretty easy to tell them apart from context.
1) Find high-value target libraries
2) Grab the usernames of accounts with push access
3) Check those against password dumps
I feel really stupid about this, but like I said it was an oversight. I apologize and will try to do better.