A Google Cloud developer woke up to a $17,000 bill from API calls he never made, highlighting a deeper issue: how cloud platforms define their own security standards.
Google Cloud COO Francis de Souza recently stated security must be integrated into AI strategies from the start. Yet, security researchers found that deleted Google API keys remain usable for up to 23 minutes after deletion. Developers are fighting for refunds after unauthorized API calls generated five-figure bills.
Aikido Security researchers documented a revocation window of 8 to 23 minutes, during which attackers can exploit credentials. Google has labeled the issue "Won't Fix (Infeasible)." Meanwhile, Prentus CEO Rod Danan faced a $10,138 bill in minutes, and Sydney developer Isuru Fonseka received a $17,000 charge despite setting a $250 cap. Google reimbursed both after media coverage but refused to change policy.
The gap between Google's security advice and its platform practices reveals a structural conflict where the company sells security while its incentives prioritize uptime and billing continuity over customer protection.