Service account key files stored in code repositories - Overly permissive primitive roles (Owner, Editor) assigned at project level - Default compute service account with Editor role (very permissive) - Firebase databases with insecure rules allowing public read/write - Cloud Functions with publicly