No Result
View All Result
  • Login
Sunday, July 12, 2026
FeeOnlyNews.com
  • Home
  • Business
  • Financial Planning
  • Personal Finance
  • Investing
  • Money
  • Economy
  • Markets
  • Stocks
  • Trading
  • Home
  • Business
  • Financial Planning
  • Personal Finance
  • Investing
  • Money
  • Economy
  • Markets
  • Stocks
  • Trading
No Result
View All Result
FeeOnlyNews.com
No Result
View All Result
Home Startups

A Google Cloud developer woke up to a $17,000 bill from API calls he never made, and the part that actually matters is what it reveals about how cloud platforms define their own security standards

by FeeOnlyNews.com
2 months ago
in Startups
Reading Time: 3 mins read
A A
0
A Google Cloud developer woke up to a ,000 bill from API calls he never made, and the part that actually matters is what it reveals about how cloud platforms define their own security standards
Share on FacebookShare on TwitterShare on LInkedIn


The COO of Google Cloud spent part of last week telling executives that security cannot be bolted onto AI strategies after the fact. The same week, security researchers published findings showing that deleted Google API keys remain usable by attackers for up to 23 minutes, and Google Cloud developers continued seeking refunds for five-figure bills triggered by API calls they never authorized. The gap between the advice and the practice is the story.

Photo by panumas nikhomkhai on Pexels

The prescription

Francis de Souza, Google Cloud’s COO, shared at a recent Los Angeles event that companies need to demand security, governance, and auditability from their platforms from the start, and warned specifically about “shadow AI” — employees reaching for consumer tools without organisational oversight. His framing: “There’s no such thing as an AI strategy without a data strategy and a security strategy. They need to go hand in hand.”

The framing of the threat landscape is equally striking. Google’s own Mandiant M-Trends 2026 report, presented at RSAC, found that adversary coordination has driven the time between initial access and hand-off to a follow-on attacker down to 22 seconds. The implication: human-led defence is structurally too slow. Google Cloud’s proposed answer, articulated at Cloud Next 2026, is a shift from human-in-the-loop to AI-led defence, with humans overseeing rather than operating in the loop.

The practice

While that case was being made, The Register was documenting a different story about the same platform. Prentus CEO Rod Danan watched his Google Cloud bill hit $10,138 in about 30 minutes after attackers used a compromised API key. Sydney-based developer Isuru Fonseka woke up to charges of roughly AUD $17,000 despite believing he had a $250 spending cap in place. Google later reimbursed both after the reporting appeared but said it would not change the underlying policy.

The mechanism is worth pausing on. A February analysis by Truffle Security researcher Joe Leon documented that API keys originally deployed for Google Maps — keys Google’s own documentation told developers to paste publicly into HTML — quietly became capable of accessing Gemini models after Google expanded their scope. Truffle’s scan of public web sources turned up 2,863 live Google API keys exposed to this vector. Separately, Google’s automated systems upgraded users’ billing tiers based on account history, raising effective ceilings as high as $100,000 without explicit consent. Google has indicated it will continue that automatic tier-upgrade policy, citing a preference for preventing service outages over enforcing user-stated budget caps.

The 23-minute window

The credential-revocation issue is the more revealing of the two. Researchers at Aikido Security, led by Joe Leon, found that even developers who catch a compromised key and immediately delete it may not be safe. Across ten controlled trials, the revocation window ranged from about eight minutes to nearly 23, with a median around 16. During that window, success rates are unpredictable — in some minutes, over 90% of requests still authenticated; in others, fewer than 1%. Attackers can use the time to exfiltrate files and cached Gemini conversation data.

Aikido’s analysis indicates that Google’s newer credential formats don’t have the same problem: service account API credentials revoke in about five seconds, and Gemini’s AQ-prefixed key format takes about a minute. Both run at Google scale, suggesting this is technically solvable for standard Google API keys too. Google told Aikido it has no plans to address the gap, closing the report as “Won’t Fix (Infeasible)” and describing the propagation delay as working as intended. The 23-minute window, in other words, is a question of priorities rather than engineering constraint.

Why this matters structurally

The standard reading of incidents like these is that they reflect implementation gaps a large platform will eventually close. The institutional reading is harder. Cloud platforms are simultaneously selling AI infrastructure, AI security tooling, and the analytical frameworks customers use to think about AI risk. The same company that prescribes the standard also defines what counts as meeting it, and operates with internal incentives — uptime, billing continuity, default expansion of API scope — that don’t always align with the customer’s stated security posture.

De Souza himself has been candid that the industry is still figuring this out, telling TechCrunch that everyone is “navigating AI security in real time” and that a sustainable long-term understanding of AI security remains several years away. That is a candid assessment from someone whose job is to have answers.

Silicon Canals has previously examined how the AI industry’s confidence in its own architecture is being quietly walked back in private even as it’s marketed in public. The security layer is following a similar pattern. The advice from platform leaders is sound. The practice on the same platforms is several steps behind the advice. Both things are true, and customers are being asked to act on the prescription while absorbing the cost of the gap.

api key vulnerability
Photo by Tima Miroshnichenko on Pexels



Source link

Tags: APIbillcallscloudDefineDeveloperGoogleMatterspartplatformsrevealsSecuritystandardsWoke
ShareTweetShare
Previous Post

Soroka reconstruction plan comprises five new buildings

Next Post

Have trading volumes dropped after STT hike on F&O? Here’s what data shows

Related Posts

A 2025 MIT report estimated that roughly 95% of task-specific enterprise generative-AI initiatives had yet to produce measurable business returns. The researchers argued that the main obstacle was not the underlying models, but tools that failed to learn from feedback, fit existing workflows or solve clearly defined operational problems.

A 2025 MIT report estimated that roughly 95% of task-specific enterprise generative-AI initiatives had yet to produce measurable business returns. The researchers argued that the main obstacle was not the underlying models, but tools that failed to learn from feedback, fit existing workflows or solve clearly defined operational problems.

by FeeOnlyNews.com
July 12, 2026
0

The useful reading of the MIT finding is not that generative AI has failed. It is that enterprise AI has...

A MIT-OpenAI study of nearly 40 million chats found the heaviest ChatGPT users reported more loneliness, dependence, and less time with real people, though researchers warn the link is correlation, not cause

A MIT-OpenAI study of nearly 40 million chats found the heaviest ChatGPT users reported more loneliness, dependence, and less time with real people, though researchers warn the link is correlation, not cause

by FeeOnlyNews.com
July 11, 2026
0

We are writers and editors, not clinicians, psychologists, or therapists. What follows is our reading of a pair of recent...

Psychology says people who reach their 40s and 50s feeling lonely aren’t socially broken — they’re often the ones who poured the most into careers, caregiving, and keeping others afloat, and simply ran out of room for themselves

Psychology says people who reach their 40s and 50s feeling lonely aren’t socially broken — they’re often the ones who poured the most into careers, caregiving, and keeping others afloat, and simply ran out of room for themselves

by FeeOnlyNews.com
July 10, 2026
0

There is a particular kind of loneliness that arrives in a person’s forties and fifties without any obvious cause. Nothing...

The Real Reason Your Content Sounds Generic, and Why AI Isn’t the Problem

The Real Reason Your Content Sounds Generic, and Why AI Isn’t the Problem

by FeeOnlyNews.com
July 9, 2026
0

The most common question organizations are asking right now is some version of this: How do we make our AI-generated...

MVP Development on a Founder Budget: What to Cut and What to Keep

MVP Development on a Founder Budget: What to Cut and What to Keep

by FeeOnlyNews.com
July 9, 2026
0

A founder I know spent $31,000 before a single real user touched his product. Not on the core workflow. On...

Bond Vet and Small Door Merge to Form One of the Nation’s Largest Premium Veterinary Networks – AlleyWatch

Bond Vet and Small Door Merge to Form One of the Nation’s Largest Premium Veterinary Networks – AlleyWatch

by FeeOnlyNews.com
July 9, 2026
0

Bond Vet and Small Door Veterinary, two New York-founded providers of premium pet care, have finalized a merger that creates...

Next Post
Have trading volumes dropped after STT hike on F&O? Here’s what data shows

Have trading volumes dropped after STT hike on F&O? Here's what data shows

Elbit Systems unit buys Israeli AI company

Elbit Systems unit buys Israeli AI company

  • Trending
  • Comments
  • Latest
House backs an emergency brake on elder fraud

House backs an emergency brake on elder fraud

June 26, 2026
Entry-Level Rentals Are Disappearing—Here’s How Landlords Can Fill the Gap

Entry-Level Rentals Are Disappearing—Here’s How Landlords Can Fill the Gap

June 18, 2026
Your Next Forever Stamp Purchase Will Soon Cost More. See the New Price

Your Next Forever Stamp Purchase Will Soon Cost More. See the New Price

July 11, 2026
LPL surges in JD Power advisor satisfaction rankings

LPL surges in JD Power advisor satisfaction rankings

July 9, 2026
Iran war cost U.S. households ,000 each, top economist says

Iran war cost U.S. households $1,000 each, top economist says

July 1, 2026
A Saints legend is selling fans a piece of professional sports for 0

A Saints legend is selling fans a piece of professional sports for $500

June 20, 2026
Leading energy company files for bankruptcy

Leading energy company files for bankruptcy

0
FREE ReadingIQ One-Year Subscription with the purchase of ABCmouse!

FREE ReadingIQ One-Year Subscription with the purchase of ABCmouse!

0
Mewgenics trailer released after 13 years

Mewgenics trailer released after 13 years

0
USD/JPY Technical Analysis | Investing.com

USD/JPY Technical Analysis | Investing.com

0
Market trading guide: CDSL among 2 stock recommendations for Monday

Market trading guide: CDSL among 2 stock recommendations for Monday

0
Your Water Bill Could Skyrocket Due to Climate Change, Study Says

Your Water Bill Could Skyrocket Due to Climate Change, Study Says

0
A Trump Account could make your kid a millionaire—but financial experts warn of a catch

A Trump Account could make your kid a millionaire—but financial experts warn of a catch

July 12, 2026
Market trading guide: CDSL among 2 stock recommendations for Monday

Market trading guide: CDSL among 2 stock recommendations for Monday

July 12, 2026
Your Water Bill Could Skyrocket Due to Climate Change, Study Says

Your Water Bill Could Skyrocket Due to Climate Change, Study Says

July 12, 2026
Is Everybody Ready to Pay  More for a Delivery?

Is Everybody Ready to Pay $3 More for a Delivery?

July 12, 2026
Bitfufu Reports June 2026 Bitcoin Production and Hashrate Metrics

Bitfufu Reports June 2026 Bitcoin Production and Hashrate Metrics

July 12, 2026
Iran War: Iran Rejects Trump 24 Hour Ultimatum; US Launches Intense Attacks With Kuwait and Bahrain; Iran Closes Strait of Hormuz, Starts Counter-Strikes; Rumors of Mining of Oman Channel

Iran War: Iran Rejects Trump 24 Hour Ultimatum; US Launches Intense Attacks With Kuwait and Bahrain; Iran Closes Strait of Hormuz, Starts Counter-Strikes; Rumors of Mining of Oman Channel

July 12, 2026
FeeOnlyNews.com

Get the latest news and follow the coverage of Business & Financial News, Stock Market Updates, Analysis, and more from the trusted sources.

CATEGORIES

  • Business
  • Cryptocurrency
  • Economy
  • Financial Planning
  • Investing
  • Market Analysis
  • Markets
  • Money
  • Personal Finance
  • Startups
  • Stock Market
  • Trading

LATEST UPDATES

  • A Trump Account could make your kid a millionaire—but financial experts warn of a catch
  • Market trading guide: CDSL among 2 stock recommendations for Monday
  • Your Water Bill Could Skyrocket Due to Climate Change, Study Says
  • Our Great Privacy Policy
  • Terms of Use, Legal Notices & Disclaimers
  • About Us
  • Contact Us

Copyright © 2022-2024 All Rights Reserved
See articles for original source and related links to external sites.

Welcome Back!

Sign In with Facebook
Sign In with Google
Sign In with Linked In
OR

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Home
  • Business
  • Financial Planning
  • Personal Finance
  • Investing
  • Money
  • Economy
  • Markets
  • Stocks
  • Trading

Copyright © 2022-2024 All Rights Reserved
See articles for original source and related links to external sites.