API keys, unencrypted GCP storage, and nearly 900K users exposed—what went wrong and how to prevent it.
