No Result
View All Result
SUBMIT YOUR ARTICLES
  • Login
Thursday, July 9, 2026
TheAdviserMagazine.com
  • Home
  • Financial Planning
    • Financial Planning
    • Personal Finance
  • Market Research
    • Business
    • Investing
    • Money
    • Economy
    • Markets
    • Stocks
    • Trading
  • 401k Plans
  • College
  • IRS & Taxes
  • Estate Plans
  • Social Security
  • Medicare
  • Legal
  • Home
  • Financial Planning
    • Financial Planning
    • Personal Finance
  • Market Research
    • Business
    • Investing
    • Money
    • Economy
    • Markets
    • Stocks
    • Trading
  • 401k Plans
  • College
  • IRS & Taxes
  • Estate Plans
  • Social Security
  • Medicare
  • Legal
No Result
View All Result
TheAdviserMagazine.com
No Result
View All Result
Home Market Research Startups

A Google Cloud developer woke up to a $17,000 bill from API calls he never made, and the part that actually matters is what it reveals about how cloud platforms define their own security standards

by TheAdviserMagazine
1 month ago
in Startups
Reading Time: 3 mins read
A A
A Google Cloud developer woke up to a ,000 bill from API calls he never made, and the part that actually matters is what it reveals about how cloud platforms define their own security standards
Share on FacebookShare on TwitterShare on LInkedIn


The COO of Google Cloud spent part of last week telling executives that security cannot be bolted onto AI strategies after the fact. The same week, security researchers published findings showing that deleted Google API keys remain usable by attackers for up to 23 minutes, and Google Cloud developers continued seeking refunds for five-figure bills triggered by API calls they never authorized. The gap between the advice and the practice is the story.

Photo by panumas nikhomkhai on Pexels

The prescription

Francis de Souza, Google Cloud’s COO, shared at a recent Los Angeles event that companies need to demand security, governance, and auditability from their platforms from the start, and warned specifically about “shadow AI” — employees reaching for consumer tools without organisational oversight. His framing: “There’s no such thing as an AI strategy without a data strategy and a security strategy. They need to go hand in hand.”

The framing of the threat landscape is equally striking. Google’s own Mandiant M-Trends 2026 report, presented at RSAC, found that adversary coordination has driven the time between initial access and hand-off to a follow-on attacker down to 22 seconds. The implication: human-led defence is structurally too slow. Google Cloud’s proposed answer, articulated at Cloud Next 2026, is a shift from human-in-the-loop to AI-led defence, with humans overseeing rather than operating in the loop.

The practice

While that case was being made, The Register was documenting a different story about the same platform. Prentus CEO Rod Danan watched his Google Cloud bill hit $10,138 in about 30 minutes after attackers used a compromised API key. Sydney-based developer Isuru Fonseka woke up to charges of roughly AUD $17,000 despite believing he had a $250 spending cap in place. Google later reimbursed both after the reporting appeared but said it would not change the underlying policy.

The mechanism is worth pausing on. A February analysis by Truffle Security researcher Joe Leon documented that API keys originally deployed for Google Maps — keys Google’s own documentation told developers to paste publicly into HTML — quietly became capable of accessing Gemini models after Google expanded their scope. Truffle’s scan of public web sources turned up 2,863 live Google API keys exposed to this vector. Separately, Google’s automated systems upgraded users’ billing tiers based on account history, raising effective ceilings as high as $100,000 without explicit consent. Google has indicated it will continue that automatic tier-upgrade policy, citing a preference for preventing service outages over enforcing user-stated budget caps.

The 23-minute window

The credential-revocation issue is the more revealing of the two. Researchers at Aikido Security, led by Joe Leon, found that even developers who catch a compromised key and immediately delete it may not be safe. Across ten controlled trials, the revocation window ranged from about eight minutes to nearly 23, with a median around 16. During that window, success rates are unpredictable — in some minutes, over 90% of requests still authenticated; in others, fewer than 1%. Attackers can use the time to exfiltrate files and cached Gemini conversation data.

Aikido’s analysis indicates that Google’s newer credential formats don’t have the same problem: service account API credentials revoke in about five seconds, and Gemini’s AQ-prefixed key format takes about a minute. Both run at Google scale, suggesting this is technically solvable for standard Google API keys too. Google told Aikido it has no plans to address the gap, closing the report as “Won’t Fix (Infeasible)” and describing the propagation delay as working as intended. The 23-minute window, in other words, is a question of priorities rather than engineering constraint.

Why this matters structurally

The standard reading of incidents like these is that they reflect implementation gaps a large platform will eventually close. The institutional reading is harder. Cloud platforms are simultaneously selling AI infrastructure, AI security tooling, and the analytical frameworks customers use to think about AI risk. The same company that prescribes the standard also defines what counts as meeting it, and operates with internal incentives — uptime, billing continuity, default expansion of API scope — that don’t always align with the customer’s stated security posture.

De Souza himself has been candid that the industry is still figuring this out, telling TechCrunch that everyone is “navigating AI security in real time” and that a sustainable long-term understanding of AI security remains several years away. That is a candid assessment from someone whose job is to have answers.

Silicon Canals has previously examined how the AI industry’s confidence in its own architecture is being quietly walked back in private even as it’s marketed in public. The security layer is following a similar pattern. The advice from platform leaders is sound. The practice on the same platforms is several steps behind the advice. Both things are true, and customers are being asked to act on the prescription while absorbing the cost of the gap.

api key vulnerability
Photo by Tima Miroshnichenko on Pexels



Source link

Tags: APIbillcallscloudDefineDeveloperGoogleMatterspartplatformsrevealsSecuritystandardsWoke
ShareTweetShare
Previous Post

Soroka reconstruction plan comprises five new buildings

Next Post

Rising bond yields and inflation remain key risks for markets: Candace Browning

Related Posts

edit post
General Intuition just raised 0M on a thesis that sounds absurd — that video game data, not real robot telemetry, will produce the GPT of embodied AI

General Intuition just raised $320M on a thesis that sounds absurd — that video game data, not real robot telemetry, will produce the GPT of embodied AI

by TheAdviserMagazine
July 9, 2026
0

General Intuition, a startup building what it describes as a foundation model for embodied AI, has raised $320 million at...

edit post
Stepful Raises M to Break Healthcare’s B Dependence on Contract Staffing – AlleyWatch

Stepful Raises $55M to Break Healthcare’s $97B Dependence on Contract Staffing – AlleyWatch

by TheAdviserMagazine
July 8, 2026
0

America’s healthcare labor shortage has hardened into a structural crisis: health systems now spend $97B annually on contract and agency...

edit post
You blame Visa and Mastercard for the swipe fee, but they keep almost none of it — the fat cut, called interchange, flows straight to the bank that issued your card, and it barely exists in the countries that built their own payment rails

You blame Visa and Mastercard for the swipe fee, but they keep almost none of it — the fat cut, called interchange, flows straight to the bank that issued your card, and it barely exists in the countries that built their own payment rails

by TheAdviserMagazine
July 8, 2026
0

When a Visa-branded card taps a terminal at a Manhattan bodega and the customer walks out with a $4 coffee,...

edit post
Psychology says people who struggle in classrooms but excel at reading a room, fixing an engine, or sensing what someone needs aren’t slow learners, they’re often operating in a form of intelligence the traditional school system was never designed to measure

Psychology says people who struggle in classrooms but excel at reading a room, fixing an engine, or sensing what someone needs aren’t slow learners, they’re often operating in a form of intelligence the traditional school system was never designed to measure

by TheAdviserMagazine
July 8, 2026
0

There’s a particular word that gets stapled to certain kids early and never fully peels off. Slow. It shows up...

edit post
Bristlecone pines growing in the White Mountains of California germinated before the Great Pyramid was built, and the oldest one alive today, nicknamed Methuselah, has been quietly adding rings for 4,855 years in soil so poor almost nothing else survives beside it

Bristlecone pines growing in the White Mountains of California germinated before the Great Pyramid was built, and the oldest one alive today, nicknamed Methuselah, has been quietly adding rings for 4,855 years in soil so poor almost nothing else survives beside it

by TheAdviserMagazine
July 8, 2026
0

A single Great Basin bristlecone pine growing in the White Mountains of eastern California has been alive for 4,855 years....

edit post
The Company We Wish Existed

The Company We Wish Existed

by TheAdviserMagazine
July 7, 2026
0

People often ask me what motivated me to build York IE. The answer is pretty simple: I lived the startup...

Next Post
edit post
Rising bond yields and inflation remain key risks for markets: Candace Browning

Rising bond yields and inflation remain key risks for markets: Candace Browning

edit post
Elbit Systems unit buys Israeli AI company

Elbit Systems unit buys Israeli AI company

  • Trending
  • Comments
  • Latest
edit post
Mass Fraud in Massachusetts Committed by Illegal Immigrants Discovered

Mass Fraud in Massachusetts Committed by Illegal Immigrants Discovered

June 22, 2026
edit post
New York Seniors: 6 STAR Tax Relief Rules That Could Put a Bigger Check in Your Mailbox

New York Seniors: 6 STAR Tax Relief Rules That Could Put a Bigger Check in Your Mailbox

June 20, 2026
edit post
5 Pennsylvania Rebate Rules Seniors Should Check Before the Property Tax/Rent Deadline

5 Pennsylvania Rebate Rules Seniors Should Check Before the Property Tax/Rent Deadline

June 18, 2026
edit post
Retail giant exits U.S. fashion after multi-million-dollar scandal

Retail giant exits U.S. fashion after multi-million-dollar scandal

July 1, 2026
edit post
Same Portfolio. Same Retirement. A 10-Mile Move Costs One Couple ,000 A Year

Same Portfolio. Same Retirement. A 10-Mile Move Costs One Couple $10,000 A Year

June 27, 2026
edit post
Louisiana’s Age-Tiered Homestead Exemption: 8 Details About the Proposed 2028 Amendment

Louisiana’s Age-Tiered Homestead Exemption: 8 Details About the Proposed 2028 Amendment

June 15, 2026
edit post
AT&T leaves rivals flat-footed as bankrupt carrier folds

AT&T leaves rivals flat-footed as bankrupt carrier folds

0
edit post
Inside Royal Caribbean’s New Over-the-Top Cruise Ship

Inside Royal Caribbean’s New Over-the-Top Cruise Ship

0
edit post
General Intuition just raised 0M on a thesis that sounds absurd — that video game data, not real robot telemetry, will produce the GPT of embodied AI

General Intuition just raised $320M on a thesis that sounds absurd — that video game data, not real robot telemetry, will produce the GPT of embodied AI

0
edit post
Dr Reddy’s shares slide 7% after delay in semaglutide supplies over quality concerns

Dr Reddy’s shares slide 7% after delay in semaglutide supplies over quality concerns

0
edit post
4 More Cars Win Top Safety Awards. Judges Want More Improvements

4 More Cars Win Top Safety Awards. Judges Want More Improvements

0
edit post
Affordable Care Act Insurers Want More Premium Increases as Enrollment Sags

Affordable Care Act Insurers Want More Premium Increases as Enrollment Sags

0
edit post
Dr Reddy’s shares slide 7% after delay in semaglutide supplies over quality concerns

Dr Reddy’s shares slide 7% after delay in semaglutide supplies over quality concerns

July 9, 2026
edit post
General Intuition just raised 0M on a thesis that sounds absurd — that video game data, not real robot telemetry, will produce the GPT of embodied AI

General Intuition just raised $320M on a thesis that sounds absurd — that video game data, not real robot telemetry, will produce the GPT of embodied AI

July 9, 2026
edit post
How global energy markets built the ‘Amazon of oil’ logistics to keep prices from spiraling

How global energy markets built the ‘Amazon of oil’ logistics to keep prices from spiraling

July 9, 2026
edit post
Kraken Wins  Million Arbitration as Arjun Sethi Calls for Clear Crypto Rules

Kraken Wins $22 Million Arbitration as Arjun Sethi Calls for Clear Crypto Rules

July 9, 2026
edit post
4 More Cars Win Top Safety Awards. Judges Want More Improvements

4 More Cars Win Top Safety Awards. Judges Want More Improvements

July 9, 2026
edit post
SBI Funds Management sets IPO price band at Rs 545–574 for Rs 11,693 crore public offer

SBI Funds Management sets IPO price band at Rs 545–574 for Rs 11,693 crore public offer

July 8, 2026
The Adviser Magazine

The first and only national digital and print magazine that connects individuals, families, and businesses to Fee-Only financial advisers, accountants, attorneys and college guidance counselors.

CATEGORIES

  • 401k Plans
  • Business
  • College
  • Cryptocurrency
  • Economy
  • Estate Plans
  • Financial Planning
  • Investing
  • IRS & Taxes
  • Legal
  • Market Analysis
  • Markets
  • Medicare
  • Money
  • Personal Finance
  • Social Security
  • Startups
  • Stock Market
  • Trading

LATEST UPDATES

  • Dr Reddy’s shares slide 7% after delay in semaglutide supplies over quality concerns
  • General Intuition just raised $320M on a thesis that sounds absurd — that video game data, not real robot telemetry, will produce the GPT of embodied AI
  • How global energy markets built the ‘Amazon of oil’ logistics to keep prices from spiraling
  • Our Great Privacy Policy
  • Terms of Use, Legal Notices & Disclosures
  • Contact us
  • About Us

© Copyright 2024 All Rights Reserved
See articles for original source and related links to external sites.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Home
  • Financial Planning
    • Financial Planning
    • Personal Finance
  • Market Research
    • Business
    • Investing
    • Money
    • Economy
    • Markets
    • Stocks
    • Trading
  • 401k Plans
  • College
  • IRS & Taxes
  • Estate Plans
  • Social Security
  • Medicare
  • Legal

© Copyright 2024 All Rights Reserved
See articles for original source and related links to external sites.