A dev was setting up a new project. They typed const STRIPE_KEY = "sk_live_ and the autocomplete offered them a full key. They accepted it without thinking — it's how autocomplete works.

The key worked. They tested a payment. It went through. Charges started flowing into someone else''s Stripe account — a small company in Germany that had apparently left their key in a public repo at some point. The two companies were not related. They had never interacted.

Our dev noticed within minutes because the dashboard showed "€0.00 balance" — not their account. They rotated everything, contacted the German company, contacted Stripe, spent a week writing apologetic emails. Nobody was sure whose liability the incident even was.

The autocomplete had been trying to help. The key had appeared in its training set. It was pattern-matching. It was extremely correct about what the next token should be and extremely wrong about whether it should exist.