The developers said they did not believe they made any “obvious” operational mistake. After discovering the compromised key, they attempted to secure their system by deleting exposed keys, disabling Google Gemini API access, and enabling two-factor authentication across their accounts.

I’m no “cloud developer”, but there seem to be a few obvious operational mistakes described just in that paragraph alone…