"Secure" is kind of a relative term, it only exists with regard to a threat model and a likely spectrum of attacks. Simply having the key in plaintext on a developer PC connected to the regular internet is fairly low-security to start with; there are all sorts of opportunities for coincidental compromise that may have exposed it directly from his PC or his collaborator's PC.
Sure, but using any third party is inviting a layer of risk. Banks get hacked too. No system is without vulnerabilities. You decide which to trust, including your potentially error-prone self.