this post was submitted on 03 Mar 2026
97 points (97.1% liked)

Technology

84073 readers
3048 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
97
A stolen Gemini API key turned a $180 bill into $82,000 in two days (www.techspot.com)
submitted 1 month ago by XLE@piefed.social to c/technology@lemmy.world
14 comments fedilink hide all child comments
 

Original Reddit post, which the article almost exclusively pulls from: https://old.reddit.com/r/googlecloud/comments/1reqtvi/82000_in_48_hours_from_stolen_gemini_api_key_my/

all 15 comments
sorted by: hot top controversial new old
[–] dhork@lemmy.world 51 points 1 month ago (1 children)

The developers said they did not believe they made any "obvious" operational mistake. After discovering the compromised key, they attempted to secure their system by deleting exposed keys, disabling Google Gemini API access, and enabling two-factor authentication across their accounts.

I'm no "cloud developer", but there seem to be a few obvious operational mistakes described just in that paragraph alone....

[–] FauxLiving@lemmy.world 29 points 1 month ago

After discovering the robbery, the bank installed doors and locks.

[–] FUCKING_CUNO@lemmy.dbzer0.com 22 points 1 month ago (2 children)

One of the developers argued on Reddit that cloud providers should implement stronger safeguards

Uh, stronger safeguards like LIKE ENABLING TWO FACTOR AUTHENTICATION YOU FUCKING IDIOTS.

[–] Appoxo@lemmy.dbzer0.com 2 points 1 month ago

I wasnt aware of 2FA on API keys.

Is that something new?
And here I thought that's why they tell you to never share it because the API key can't be protected by 2FA (And no, IAM or SSO is not something I will count)

[–] MountingSuspicion@reddthat.com 15 points 1 month ago (1 children)

Google is a bad company with bad policies, but I'd love to have them explain what caused the compromise. They dispute that it was uploaded publicly to GitHub, but don't seem to provide any information as to what happened. They also didn't have 2fa on, which is strange to hear because AWS (they're using Google) required 2fa on all accounts at least a year ago, regardless of permissions if memory serves. Really sorry to hear this happened to them, and the fact you can't set a hard cap on spend makes Google the party ultimately responsible here, but I'd appreciate having more information on the actual cause.

[–] XLE@piefed.social 16 points 1 month ago (2 children)

Google also changed the rules on API key security after years of precedent.

https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules

I'm sure they have a reason for everything they do, but rarely are they good reasons.

[–] db2@lemmy.world 4 points 1 month ago (1 children)

~~Don't be evil~~

[–] MountingSuspicion@reddthat.com 1 points 1 month ago

Yes, I saw that, I just didn't see them say that's what happened to them. If that's what happened then this should be an open and shut case. Like I said initially, Google is a bad company doing bad things and this change was an objectively greedy and evil thing.

[–] MedicPigBabySaver@lemmy.world 13 points 1 month ago

Fuck Reddit and Fuck Spez.

[–] ace_garp@lemmy.world 10 points 1 month ago (1 children)

'Turned $180 billion into $82,000 in two days'

Wait, I thought this story was about Google AI, not OpenAI.

[–] 13igTyme@piefed.social 5 points 1 month ago

It all the same garbage.

[–] purplemonkeymad@programming.dev 9 points 1 month ago

This is why I've never taken up the "free tiers" of these big cloud hosting. I looked in to it and there was absolutely no way to limit billing. There is reports and some people say, "setup automation," but that is something they should have done. Why do I have to code features into their platform?

The lack of control is intentional, the business is happy when this happens as they can extract more money from people.

[–] Reygle@lemmy.world 4 points 1 month ago

Good