I'm confused about how a data leak could happen from a private GitHub repository. A student ended up with a massive bill of $55,444.78 on Google Cloud because their Gemini API key was leaked on GitHub. If the repository was supposed to be private and everything was encrypted, how could this happen?
5 Answers
I’m getting some bad vibes from this entire situation.
There’s another thing to consider. If you fork a public repo, all of your history goes public even if your new repo is private. That could be a way this happened.
Never assume your repo is private. Always avoid checking in your private keys and set limits on your cloud compute accounts to protect yourself from massive bills.
According to that post, the repository wasn't actually private. They thought it was, but if it was truly private, only people with access would see it. Regardless, it's a bad practice to commit API keys to any repository, private or not. You should always use a secrets manager and store those keys as environment variables instead of hard-coding them in your project. This avoids accidental leaks when you push your code.
Exactly! Also, keep in mind that deleting a hard-coded key isn’t enough. It’s crucial to check the entire commit history. And don’t forget to set usage limits on your API keys!
It’s possible the repo was switched to private after they realized what happened. But it's likely that it was public before they found out.
Totally agree! Also, you should never commit those API keys in the first place.