Original Reddit post, which the article almost exclusively pulls from: https://old.reddit.com/r/googlecloud/comments/1reqtvi/82000_in_48_hours_from_stolen_gemini_api_key_my/
Original Reddit post, which the article almost exclusively pulls from: https://old.reddit.com/r/googlecloud/comments/1reqtvi/82000_in_48_hours_from_stolen_gemini_api_key_my/
Google is a bad company with bad policies, but I’d love to have them explain what caused the compromise. They dispute that it was uploaded publicly to GitHub, but don’t seem to provide any information as to what happened. They also didn’t have 2fa on, which is strange to hear because AWS (they’re using Google) required 2fa on all accounts at least a year ago, regardless of permissions if memory serves. Really sorry to hear this happened to them, and the fact you can’t set a hard cap on spend makes Google the party ultimately responsible here, but I’d appreciate having more information on the actual cause.
Google also changed the rules on API key security after years of precedent.
https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules
I’m sure they have a reason for everything they do, but rarely are they good reasons.
Don’t be evilYes, I saw that, I just didn’t see them say that’s what happened to them. If that’s what happened then this should be an open and shut case. Like I said initially, Google is a bad company doing bad things and this change was an objectively greedy and evil thing.