alt Hacker NewsI said this when this finding was originally posted and I'll say it again: This is by far the worst security incident Google has ever had, and that's why they aren't publicly or loudly responding to it. It's deeply embarrassing. They can't fix it without breaking customer workflows. They really, really want it to just go away and six months from now they'll complete their warning period to their enterprise contracts and then they can turn off this automated grant. Until then they want as few people to know about it as possible, and that means if you aren't on anyone's big & important customer list internally, and you missed the single 40px blurb they put on a buried developer documentation site, you're vulnerable and this will happen to you.
Disgusting behavior.
Replies
This is only a little billing leakage, Operation Aurora in 2009 was 100x worse
And this is why we invented segmentation, and everybody that are still not doing that are paying now and this is fine
Google is not the only culprit here;
It's not a security incident because it makes Google money. It's extra revenue. They are embarrassed all the way to the bank.
At some point, when it appeared 2 months ago on HN and they still did nothing about it, intentionality can be assumed.