Google's insecure-by-default API keys and 30h billing lag cost my startup $15k
tertervat
57 points
5 comments
March 30, 2026
Related Discussions
Found 5 related stories in 94.0ms across 8,358 title embeddings via pgvector HNSW
- Google Cloud customer wakes up to $18,000 bill despite $7 budget speckx · 76 pts · April 22, 2026 · 69% similar
- Google API keys can remain usable for up to 23 minutes after deletion logickkk1 · 11 pts · May 21, 2026 · 55% similar
- €54k spike in 13h from unrestricted Firebase browser key accessing Gemini APIs zanbezi · 382 pts · April 16, 2026 · 55% similar
- AWS/GCP too expensive? Cloudexit.pro will help you move to bare-metal avallark · 11 pts · April 16, 2026 · 53% similar
- Stolen Gemini API key racks up $82,000 in 48 hours salkahfi · 84 pts · March 03, 2026 · 52% similar
Discussion Highlights (3 comments)
zem
I really hope that one effect of ai code generators making code cheaper to write is that the calculus around "accept vendor lock in return for getting up and running faster" changes dramatically
hedora
Is there an easy way to know if I'm vulnerable to this? Like some dashboard page that lists all the API keys with "revoke" buttons? I did something or another with a google API years ago, and am not looking forward to a random surprise bill. They don't have my credit card, so maybe that'd solve the problem. On the other hand, they could hold a gmail account hostage.
kingstnap
This is interesting but the linked articles is even more interesting. https://trufflesecurity.com/blog/google-api-keys-werent-secr... > Even Google themselves had old public API keys, which they thought were non-sensitive, that we could use to access Google’s internal Gemini. This is just a classic slow clap here for Cloud.