XLE

A stolen Gemini API key turned a $180 bill into $82,000 in two days

https://piefed.social/c/technology/p/1837724/a-stolen-gemini-api-key-turned-a-180-bill-into-82000-in-two-days

A stolen Gemini API key turned a $180 bill into $82,000 in two days

Original Reddit post, which the article almost exclusively pulls from: https://old.reddit.com/r/googlecloud/comments/1reqtvi/82000_in_48_hours_from…

Mar 3 at 3:41pmWeb
Show threadMountingSuspicionMar 3
Google is a bad company with bad policies, but I’d love to have them explain what caused the compromise. They dispute that it was uploaded publicly to GitHub, but don’t seem to provide any information as to what happened. They also didn’t have 2fa on, which is strange to hear because AWS (they’re using Google) required 2fa on all accounts at least a year ago, regardless of permissions if memory serves. Really sorry to hear this happened to them, and the fact you can’t set a hard cap on spend makes Google the party ultimately responsible here, but I’d appreciate having more information on the actual cause.
Show threadXLEMar 3

Google also changed the rules on API key security after years of precedent.

https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules

I’m sure they have a reason for everything they do, but rarely are they good reasons.

Google API Keys Weren't Secrets. But then Gemini Changed the Rules. ◆ Truffle Security Co.

Google spent over a decade telling developers that Google API keys (like those used in Maps, Firebase, etc.) are not secrets. But that's no longer true.

Show threadMountingSuspicionMar 3
Yes, I saw that, I just didn’t see them say that’s what happened to them. If that’s what happened then this should be an open and shut case. Like I said initially, Google is a bad company doing bad things and this change was an objectively greedy and evil thing.
Show threaddb2Mar 4
Don’t be evil
Show threadGumusMar 4
Show threadReygleMar 3
Good
Show threaddhorkMar 3

The developers said they did not believe they made any “obvious” operational mistake. After discovering the compromised key, they attempted to secure their system by deleting exposed keys, disabling Google Gemini API access, and enabling two-factor authentication across their accounts.

I’m no “cloud developer”, but there seem to be a few obvious operational mistakes described just in that paragraph alone…

Show threadFauxLivingMar 3
After discovering the robbery, the bank installed doors and locks.
Show threadace_garpMar 3

‘Turned $180 billion into $82,000 in two days’

Wait, I thought this story was about Google AI, not OpenAI.

Show thread13igTymeMar 3
It all the same garbage.
Show threadFUCKING_CUNOMar 3

One of the developers argued on Reddit that cloud providers should implement stronger safeguards

Uh, stronger safeguards like LIKE ENABLING TWO FACTOR AUTHENTICATION YOU FUCKING IDIOTS.

Show threadpipe01Mar 3
That’s not really how API keys work tho
Show threadAppoxoMar 4

I wasnt aware of 2FA on API keys.

Is that something new?
And here I thought that’s why they tell you to never share it because the API key can’t be protected by 2FA (And no, IAM or SSO is not something I will count)

Show thread😈MedicPig🐷BabySaver😈Mar 3
Fuck Reddit and Fuck Spez.
Show thread🇰 🌀 🇱 🇦 🇳 🇦 🇰 🇮 Mar 4
Also fuck news sites that get 100% of their info from Reddit without verifying if any of it is even true.
Show threadpurplemonkeymadMar 4

This is why I’ve never taken up the “free tiers” of these big cloud hosting. I looked in to it and there was absolutely no way to limit billing. There is reports and some people say, “setup automation,” but that is something they should have done. Why do I have to code features into their platform?

The lack of control is intentional, the business is happy when this happens as they can extract more money from people.