🟠 High | Source: The Register — Security
A developer reports that Google detected and warned him about an account hijack on his Google Cloud account, yet still processed approximately $11,000 in fraudulent charges run up by the attacker. The incident highlights a disconnect between Google’s threat detection and billing protection mechanisms, leaving the victim liable despite the provider being aware of the compromise. This is a cautionary tale about assuming cloud provider warnings automatically trigger financial safeguards.
Security Architect’s Take: Implement hard billing caps and budget alerts with automatic project suspension in Google Cloud to limit blast radius from compromised credentials — never rely solely on provider notifications to halt fraudulent spend. Additionally, enforce least-privilege service accounts, enable anomaly detection via Security Command Center, and establish a documented incident response runbook that includes immediate credential revocation and billing escalation steps.
Original advisory: Dev says Google warned him about account hijack – then charged him $11,000 anyway