To summarize, the poster had checked in code to a public git repo that accidentally contained the 12 word seed/recovery phrase for a wallet address. A bot caught the phrase and drained the account all within a matter of minutes of it being posted.
Not your keys, not your crypto
One of the most common mantras of the crypto-world is "not your keys, not your crypto". The basic idea is that if you are using a service that interacts with a blockchain, and they vault the keys on your behalf, but you don't actually possess the keys then you don't actually own the crypto. But it can also be said that if you you post your key to a public place, that it's not your key any more and also not your crypto.
What to do?
First, be absolutely certain keys aren't posted to public websites. But the private key (or recovery phrases) shouldn't be posted to any cloud service. They are intended to be written down and stored in a safe place.
When developing or testing things, don't use your real account and stick to test networks. It doesn't cost anything to spin up a new address for testing, and then forget about it when you are done.
Keep your keys in offline formats. A paper key or USB drive as examples. I suppose you could use a CD-R which would add to the inconvenience since no one actually has a CD drive to read or write the things any more ;)
Any storage format should include encryption so that the data is as safe as possible when at rest. Theoretically though, once the data is accessible (i.e. connected to a computer and decrypted) it is vulnerable. I personally go through the extra step of using GPG on the keyfiles themselves so the risk is further minimized. So the file contents are encrypted, and then stored in an encrypted container. The plain-text version of the key is read out at use and never stored on disk.
For additional peace of mind, you can utilize something like etherscan.io to monitor transactions on accounts that you care about so you know when something is happening. Though in many cases it's probably already too late by that point.
While it might be a little less convenient, splitting your crypto between accounts or using a multi-sig wallet would add some protection so that if one key is compromised, you don't stand to lose everything.
Is all this really necessary?
Probably not, until it is, and that's the point. Multiple layers of encryption are extra hoops to jump through that will probably just be more of a pain for your general use and your keys are probably not that at risk. But it only takes one slip-up, and then there is no going back. So ensuring secure practices from the beginning further lessen the chances of any crypto assets being stolen.
Call to action!
So go check your wallets and key storing practices and make sure that you are managing your keys in a safe manner. Also ensure your private keys are not ever stored in a public location; including services like DropBox or Google Drive.
