"Several Google Cloud customers say their API keys have been compromised and used by bad actors to run inferencing workloads using the most expensive video and picture models, leaving them with bills for tens of thousands of dollars and weeks of back-and-forth headaches with the Chocolate Factory as they tried to prove they were not responsible for the mess."
"Google told The Register this is an industry-wide problem and not a security issue specific to Google. It said the vast majority of these incidents happen due to compromised user credentials such as API keys inadvertently leaked on public code repositories like GitHub, and malicious actors who are actively scraping public repositories."
"Google said it encourages all customers to implement robust security practices, including enabling multi-factor authentication, routinely auditing API keys, and ensuring credentials are never committed to public repositories. But those explanations are complicated by developers and security threat researchers who said there are thousands of accounts which are following Google's own site configuration rules by placing their APIs in a public client."
"Additionally, one user told The Register they had spending caps in place that should have stopped any bill over $250. Yet according to Google those caps can be automatically upgraded to $100,000 - without user input - if the user has spent a total of $1,000 throughout the life of the account, and the account is more than a month old."
Google Cloud customers report API keys being compromised and then used quickly to run expensive video and image inferencing workloads. The resulting charges reach thousands of dollars within minutes, sometimes leading to tens of thousands in total costs and prolonged efforts to prove the activity was not authorized. Google states the issue is industry-wide and typically stems from compromised user credentials, especially API keys leaked in public code repositories or scraped from them by malicious actors. Google recommends multi-factor authentication, routine API key auditing, and never committing credentials to public repositories. Some reports claim keys were exposed even when placed in public clients according to Google’s configuration guidance. Spending caps may also be automatically increased under certain account conditions without user input.
#api-key-security #cloud-billing-fraud #credential-leakage #video-and-image-inferencing #access-controls
Read at theregister
Unable to calculate read time
Collection
[
|
...
]