Original Reddit post, which the article almost exclusively pulls from: https://old.reddit.com/r/googlecloud/comments/1reqtvi/82000_in_48_hours_from_stolen_gemini_api_key_my/
This is why I’ve never taken up the “free tiers” of these big cloud hosting. I looked in to it and there was absolutely no way to limit billing. There is reports and some people say, “setup automation,” but that is something they should have done. Why do I have to code features into their platform?
The lack of control is intentional, the business is happy when this happens as they can extract more money from people.
One of the developers argued on Reddit that cloud providers should implement stronger safeguards
Uh, stronger safeguards like LIKE ENABLING TWO FACTOR AUTHENTICATION YOU FUCKING IDIOTS.
I wasnt aware of 2FA on API keys.
Is that something new?
And here I thought that’s why they tell you to never share it because the API key can’t be protected by 2FA (And no, IAM or SSO is not something I will count)deleted by creator
The developers said they did not believe they made any “obvious” operational mistake. After discovering the compromised key, they attempted to secure their system by deleting exposed keys, disabling Google Gemini API access, and enabling two-factor authentication across their accounts.
I’m no “cloud developer”, but there seem to be a few obvious operational mistakes described just in that paragraph alone…
After discovering the robbery, the bank installed doors and locks.
Fuck Reddit and Fuck Spez.
Also fuck news sites that get 100% of their info from Reddit without verifying if any of it is even true.
Google is a bad company with bad policies, but I’d love to have them explain what caused the compromise. They dispute that it was uploaded publicly to GitHub, but don’t seem to provide any information as to what happened. They also didn’t have 2fa on, which is strange to hear because AWS (they’re using Google) required 2fa on all accounts at least a year ago, regardless of permissions if memory serves. Really sorry to hear this happened to them, and the fact you can’t set a hard cap on spend makes Google the party ultimately responsible here, but I’d appreciate having more information on the actual cause.
Google also changed the rules on API key security after years of precedent.
https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules
I’m sure they have a reason for everything they do, but rarely are they good reasons.
Don’t be evilYes, I saw that, I just didn’t see them say that’s what happened to them. If that’s what happened then this should be an open and shut case. Like I said initially, Google is a bad company doing bad things and this change was an objectively greedy and evil thing.
‘Turned $180 billion into $82,000 in two days’
Wait, I thought this story was about Google AI, not OpenAI.
It all the same garbage.
Good
