⚡ Engineering War Stories from the Trenches

When Big Tech Breaks
& How They Fix It

The postmortems they published. The outages they survived. The fixes that saved millions of users. Read the real story — not the press release.

Case Studies

Companies

∞

Things Broke

100%

No Fiction

Netflix Chaos Engineering ★ 5.0

Netflix Unleashed a Monkey With a Weapon in Its Own Data Center — On Purpose

It was 2011 and Netflix had just migrated hundreds of microservices to AWS. Their architecture was distributed, horizontally scaled, and theoretically fault-tolerant. But theory and production are different things. The only way to know if a system could survive failures was to cause failures — constantly, deliberately, during business hours, and in production. So they built a monkey.

July 19 2011 blog published Business-hours instance killing 10 Simian Army members +3

Read full story →

Hotstar Live Streaming ★ 5.0

When MS Dhoni Got Out: How Hotstar Survived 25 Million Concurrent Users

July 9th, 2019. India vs New Zealand, Cricket World Cup semi-final. MS Dhoni walks to the crease and 1.1 million new viewers join Hotstar every single minute. Then he gets run out — and 24 million people hit the back button almost simultaneously.

25.3M peak concurrent 1.1M users/min growth 5.7 Tbps bandwidth +3

Read full story →

GitHub Databases

How GitHub Upgraded 1200 MySQL Hosts Without Dropping a Single Query

MySQL 5.7 was hitting end-of-life, and GitHub's production database fleet spanned 1,200 hosts, 300 terabytes of data, and 5.5 million queries every second. Getting from here to MySQL 8.0 without disrupting 100 million developers was going to take more than a weekend.

1,200+ MySQL hosts upgraded 300+ TB data migrated 5.5M queries/sec maintained +3

Read full story →

Slack Reliability

Slack Built a Big Red Button to Drain an Entire Data Center in Five Minutes

On June 30, 2021, a network link connecting one AWS availability zone failed — and Slack users felt it, despite Slack running in multiple availability zones. The postmortem question was brutal: why did a single AZ failure affect users at all? The answer drove 18 months of architecture work.

2021-06-30 AZ outage trigger 1.5 years migration time AZ drain in <5 minutes +3

Read full story →

Cloudflare Reliability

Cloudflare Fixed a React Security Vulnerability and Broke the Entire Network

In late 2025, Cloudflare was rolling out a fix for a React security vulnerability. To do so, they needed to disable an internal testing tool with a global killswitch. The killswitch, unexpectedly, triggered a bug that sent HTTP 500 errors across Cloudflare's entire global network. This was the third major configuration-related global outage in two years.

Dec 2025 global outage React CVE fix triggered outage Global killswitch bug +3

Read full story →

LinkedIn Messaging

LinkedIn Needed a Message Queue. They Built the One the Entire Internet Runs On.

In 2010, LinkedIn was drowning in data it couldn't move. Every ML model, every recommendation engine, every real-time feature was starving because there was no reliable way to get activity data from the website into the systems that needed it. Jay Kreps, Jun Rao, and Neha Narkhede spent a year building a fix. They named it after Franz Kafka. The rest of the internet adopted it.

1B events/day at launch (2011) 1T messages/day by 2015 7T messages/day by 2019 +3

Read full story →

Google Performance

Google Built a Free Design Tool That Generates Production Code From a Sentence — Then Added Multiplayer

At Google I/O 2025, Sundar Pichai demoed a tool that turned a plain English description into a complete mobile UI in under 30 seconds. Figma charges $15 per editor per month for collaborative design. Google Stitch does it free. A year later, Google added real-time multiplayer, a streaming design agent, and voice input. The design industry noticed.

Launched I/O May 20 2025 Galileo AI acquisition → Stitch rebrand Gemini 2.5 Pro multimodal core +3

Read full story →

Google Distributed Systems

Google's Gemini Omni Is the First AI That Creates From Anything — Here Is What That Actually Means

For three years, Google built Gemini to be 'natively multimodal.' At I/O 2026, they finally demonstrated what that phrase means in practice. Gemini Omni takes a photo, an audio clip, a video, and a text description — all at once — and produces a new video that reflects all of them simultaneously. This is not four models chained together. It is one.

Announced I/O May 19 2026 Any-to-any: text+image+audio+video → video Flash release: 10s clips, Gemini app + YouTube Shorts +3

Read full story →

GitHub Distributed Systems

GitHub Built the Internet's Code Platform — Then AI Agents Broke It

Between May 2025 and April 2026, GitHub experienced 257 incidents — 48 of them major outages. That's roughly one significant disruption every single week. The culprit wasn't a security breach, a botched deployment, or a rogue engineer. It was the thing GitHub had spent years celebrating: AI. Specifically, agentic AI workflows that turned one human developer's footprint into hundreds of commits, thousands of CI minutes, and a dozen simultaneous PR operations — all at once, across millions of accounts. GitHub had been built for humans. Agents are not human.

257 incidents — May 2025 to April 2026 48 major outages, 112+ hours total downtime 57 GitHub Actions outages in 12 months +5

Read full story →

OpenAI Reliability

OpenAI Deployed a Tool to Monitor Kubernetes — and It Took Down All of Kubernetes

On December 11, 2024, OpenAI deployed a new telemetry service designed to improve Kubernetes observability. Within 29 minutes, it had crashed the Kubernetes control plane across every cluster. ChatGPT, the API, and Sora were all unavailable for over four hours. The engineers trying to fix it couldn't run kubectl. The control plane that manages clusters was down — and it was the only way back in.

3:16 PM → 7:38 PM PST (4h 22min) ALL OpenAI services affected Kubernetes control plane down in most large clusters +3

Read full story →

AWS Distributed Systems

A Race Condition in DynamoDB's DNS Took Down Snapchat, Fortnite, Ring, and Half the Internet for 15 Hours

It was 11:48 PM PDT on October 19, 2025. Two automation processes inside AWS's DynamoDB DNS management system were doing the same job simultaneously — one fast, one painfully slow. The slow one was just finishing up when the fast one, having already completed, triggered a cleanup job that deleted the slow one's work. In that moment, every DNS record for DynamoDB in the world's busiest cloud region vanished. Snapchat went dark for 375 million daily users. Fortnite lobbies dissolved mid-match. Ring cameras stopped recording. The UK's HMRC tax authority went offline. For 15 hours, the internet's largest database service had no address.

October 19–20, 2025 — 15-hour outage in US-EAST-1 Root cause: race condition between two DNS Enactor processes DynamoDB offline for ~3 hours; EC2 cascade lasted 12+ more hours +5

Read full story →

Google Distributed Systems

Google's Own Cleanup Job Crashed Cloud Services Across 4 Continents — and Then Made Recovery Worse

On May 29, 2025, a Google engineer deployed new quota-checking code to Service Control — the system that authorizes every single API request across Google Cloud. The code had a bug: it couldn't handle a null value. But the bug was invisible during deployment because it could only be triggered by a specific type of policy data that hadn't appeared yet. Two weeks later, on June 12, an automated system pushed a routine policy update containing blank fields. The policy data replicated globally within seconds. Every Service Control binary in every region hit the null pointer, crashed, and refused to restart without eating itself. Spotify went down. Discord went down. Snapchat went down. Google's own status page went down. And when engineers deployed the fix, the restart surge overwhelmed the infrastructure — making the recovery worse than the crash.

June 12, 2025 — 7+ hour outage across North America, Europe, Far East, Africa Root cause: null pointer exception in Service Control binary from May 29 code change No feature flag protection and no error handling on the new code path +5

Read full story →

Discord Databases

How Discord Migrated Trillions of Messages and Fired Their Garbage Collector

It is 2022 and Discord's on-call engineers are babysitting a 177-node database cluster, manually rebooting nodes after Java GC pauses spiral out of control. The system holding every message ever sent is becoming the thing everyone fears touching most.

177 → 72 nodes p99 latency 15ms (was 40–125ms) 9-day migration (was 3-month est.) +3

Read full story →

Discord Reliability

Discord Killed the MacBook Dev Environment and Never Looked Back

Discord's engineering team had tripled in size and was drowning in a swamp of 'works on my machine' bugs — some engineers running macOS, some Ubuntu, all of them slowly. The solution was radical: no one gets a local dev environment anymore.

3x engineering org growth Mac→V1→V2 (two migrations) Began 2020, V2 done 2023 +3

Read full story →

Netflix Distributed Systems

Netflix Hit the AWS Instance Ceiling and Built a Workflow Engine That Scales Forever

Netflix's Meson orchestrator was handling hundreds of thousands of daily data and ML jobs — and running out of machine. Vertically scaling on AWS had a hard ceiling, and the workflows were doubling in size every year. The only way out was a complete architectural rethink.

2M+ jobs/day at peak Hundreds of thousands of workflows Meson → Maestro 2020 +3

Read full story →

Slack Reliability

Slack's Worst Day: When a Better Cache Manager Made Everything Worse

On February 22, 2022, Slack went down for many users — including the engineer designated as Incident Commander, who was authoring the postmortem from a position of personal experience. The culprit was a new component that worked exactly as designed.

Feb 22 2022 outage Consul rollout to 75% of fleet Cache hit rate collapsed +3

Read full story →

Stripe Databases

How Stripe Moves Petabytes Between Database Shards Without Stopping the Money

Stripe processed over $1 trillion in payment volume in 2023 while maintaining 99.999% uptime — five nines, fewer than 6 minutes of downtime all year. The infrastructure secret is a database platform called DocDB and a migration engine that moves petabytes of financial data between shards without any application knowing it happened.

$1T+ payment volume 2023 99.999% uptime achieved 5M database queries/sec +3

Read full story →

Slack Distributed Systems

Slack Rewrote Its Core Architecture for Enterprise — Because the Old One Was a Lie

Slack was built for teams in single workspaces. Enterprise customers were using it across dozens of workspaces simultaneously — and the architecture had never been designed for that. Every major enterprise feature was a workaround on top of a foundation that assumed one workspace per person. Slack spent two years rebuilding the foundation.

2 years development time Workspace-centric → org-wide Thousands of APIs refactored +3

Read full story →

Slack Reliability

Slack Cut Deploy-Related Customer Impact by 90% in Eighteen Months

73% of Slack's customer-facing incidents were being triggered by Slack itself — by its own code deploys. The team stopped treating each outage as a one-off and started treating deploy safety as a program, with metrics, milestones, and automated rollbacks. Eighteen months later, customer impact hours were down 90%.

73% incidents from own deploys 90% reduction in impact hours Manual → automatic rollbacks +3

Read full story →

Atlassian Reliability

How a Two-Line Script Silently Deleted 883 Customer Cloud Sites

At 07:38 UTC on April 5th, 2022, a maintenance script begins its run — methodical, peer-reviewed, totally routine. Twenty-three minutes later, 883 Atlassian Cloud sites have been permanently deleted, and the company's own incident management tool, Opsgenie, is one of the casualties.

883 sites deleted 14 days max outage 775 customers affected +3

Read full story →

Netflix Live Streaming

65 Million Streams: How Netflix Rebuilt Its Guts for Live

November 15, 2024: 65 million people log on to watch Mike Tyson fight Jake Paul, the largest live sports stream in history. Behind the scenes, Netflix engineers are white-knuckling a system they built from scratch — one where a single bad video segment, a CDN request storm, or a missed 2-second write deadline means millions of viewers see a black screen.

65M concurrent streams 113ms → 25ms p50 latency 200Gbps+ read throughput +3

Read full story →

Stripe Performance

Stripe Converted 3.7 Million Lines of JavaScript in One Pull Request on a Sunday

On Sunday, March 6, 2022, Stripe merged a single pull request that converted their entire largest JavaScript codebase from Flow to TypeScript. 3.7 million lines of code. Hundreds of engineers arrived Monday morning to start writing TypeScript. The migration had been invisible until it wasn't.

3.7M lines converted in 1 PR Single Sunday deploy Largest JS codebase at Stripe +3

Read full story →

GitHub Reliability

The Test That Broke GitHub: A Failover Drill Goes Live

June 29, 2023, 17:39 UTC: GitHub engineers initiate a planned live failover test of their brand-new second Internet edge facility — six months of infrastructure work designed to eliminate a single point of failure. Within seconds, instead of validating their redundancy, they've created an outage that takes GitHub offline for millions of developers across North America and South America.

32-minute outage 2-min detect-to-revert US East + South America +3

Read full story →

Shopify Databases

Shopify Sharded a Rails Database With Vitess and the App Never Knew It Happened

The Shop app was growing exponentially. Its single MySQL database was approaching vertical scaling limits. Shopify needed horizontal sharding — but they had a Rails monolith that expected a single database, and a system that couldn't have downtime during a commerce platform used by millions daily.

KateSQL → Vitess migration user_id as sharding key VTGate transparent to app +3

Read full story →

Shopify Databases

Shopify's Engineers Hunted Deadlocks at 19 Million Queries per Second

During Black Friday and Cyber Monday 2023, Shopify's MySQL fleet was handling 19 million queries per second. At that scale, even rare deadlock patterns become common enough to cause real incidents. The engineering team published a detailed playbook for diagnosing and eliminating MySQL deadlocks in high-concurrency production environments.

19M MySQL QPS at BFCM peak 58M requests/min app servers 99.999%+ uptime maintained +3

Read full story →

Cloudflare Reliability

Cloudflare's Datacenter Partner Failed and the Control Plane Went Dark for 40 Hours

On November 2, 2023, Cloudflare's primary datacenter partner experienced a power failure. The control plane — the system that lets customers configure DNS, firewall rules, and every Cloudflare service — went dark. It stayed dark, in various forms, for nearly 40 hours. The postmortem introduced a concept Cloudflare hadn't had before: Code Orange.

Nov 2–4 2023 outage ~40 hours control plane down Flexential datacenter failure +3

Read full story →

Cloudflare Reliability

A Database Permission Change in ClickHouse Took Down 28% of Cloudflare's HTTP Traffic

On November 2, 2023 — the same day as the control plane datacenter failure — Cloudflare also experienced a separate six-hour global outage. The cause: a database permission change in ClickHouse generated a corrupt configuration file that was silently propagated to every server in Cloudflare's Bot Management system, crashing it globally.

Nov 2 2023 outage 28% HTTP traffic impacted 6 hours total duration +3

Read full story →

Netflix Performance

Netflix Made Their Workflow Orchestrator 100x Faster by Rewriting the Engine Nobody Thought Was Slow

Maestro had been running Netflix's data and ML workflows successfully for two and a half years. Then Live, Ads, and Games drove sub-hourly scheduling requirements that revealed the orchestrator's overhead — not in crashes or alerts, but in slow step launches that nobody had measured. The fix was a complete engine rewrite that delivered 100x throughput improvement.

100x throughput improvement 2.5 years before overhead visible Sub-hourly scheduling trigger +3

Read full story →

Netflix Performance

Netflix's Containers Were Fighting Their Own CPUs — and Losing

Netflix ran millions of containers per day on modern multi-core CPUs. The containers performed well on benchmarks. In production, under certain workloads, they were mysteriously slower than expected — slower than the hardware should have allowed. The culprit was CPU topology: the operating system was scheduling container workloads in ways that violated modern CPU cache architecture. They called the investigation 'Mount Mayhem.'

Mount Mayhem investigation Modern multi-core CPU topology NUMA and cache locality +3

Read full story →

Netflix Reliability

Netflix Streamed Live Sports for Millions — and the Hard Part Wasn't the Video

When Netflix began streaming live events — boxing, NFL games, comedy specials — the engineering challenge wasn't encoding or delivery. It was building the human infrastructure: the operations team, the escalation paths, the real-time decision systems, and the runbooks that let engineers respond to live event failures in seconds, not minutes.

Live events at Netflix scale Sub-second escalation paths NFL Christmas Day 2023 +3

Read full story →

Figma Databases

Figma's Database Grew 100x in Four Years — Here's How a Small Team Kept It From Toppling

In 2020, Figma ran on a single Postgres instance on AWS's largest available machine. Four years later, that database had grown nearly 100x. Some tables had swelled to several terabytes and billions of rows. The Postgres vacuum process — the background job that keeps Postgres alive — was causing reliability incidents. They had months of runway left before hitting the IOPS ceiling. A small databases team had nine months to fix it.

100x DB growth since 2020 Single instance → horizontal shards 9-month migration +3

Read full story →

Datadog Reliability

Datadog Went Dark for 24 Hours and Came Back With a Different Philosophy

On March 8, 2023, Datadog — the platform engineers use to know when their own infrastructure is broken — broke. For more than 24 hours, across five regions on three cloud providers, metrics stopped arriving, logs disappeared, and dashboards showed nothing. The people whose job was to fix it couldn't see what was happening. It cost $5 million. It changed how Datadog thinks about building software.

24h+ global outage $5M revenue loss 50–60% Kubernetes nodes lost +3

Read full story →

OpenAI Databases

OpenAI Runs ChatGPT for 800 Million Users on One PostgreSQL Instance — and It Works

ChatGPT has 800 million users. It handles millions of database queries per second. And it runs on a single primary PostgreSQL instance on Azure — one writer, backed by about fifty read replicas. No sharding. No distributed SQL. Just Postgres, pushed further than almost anyone thought possible through obsessive optimization and ruthless operational discipline.

800M users, 1 primary PG instance ~50 read replicas globally Millions of QPS, p99 <20ms +3

Read full story →

Uber Security

Uber Had 150,000 Secrets Scattered Across 25 Vaults — So They Built One Platform to Rule Them

150,000 secrets. 25 separate vaults. Hundreds of teams managing their own credentials in their own ways, some in plain text in version control. At Uber's scale — 5,000 microservices, 5,000 databases, 500,000 analytical jobs per day — secrets sprawl is not a compliance problem. It is an incident waiting to happen. A team of ten engineers decided to fix it.

150,000 secrets managed 25 vaults → 6 managed vaults 5,000 microservices secured +3

Read full story →

Shopify Reliability

The 80% Problem: Why Getting an LLM System to 'Works in Demo' Is 20% of the Work

Every team building with LLMs discovers the same brutal truth: 80% quality arrives in a few weeks. The final 15% — the gap between 'impressive demo' and 'product I'd trust with my customers' — takes the rest of the time. Shopify's Flow agent and Sidekick teams lived this curve and came back with a systematic playbook. It is mostly about measurement.

LLM judge: 0.02 → 0.61 Kappa 300-example hand-crafted benchmark Production mirroring closes gap in 2 weeks +3

Read full story →

IBM Distributed Systems

Quantum Computing Just Beat the Best Classical Computer — Here Is the Engineering That Made It Happen

On May 6, 2026, Q-CTRL ran a materials science simulation on an IBM quantum computer in 2 minutes. The best classical supercomputer needed over 100 hours to reach the same accuracy — and then gave up. The day before, IBM's quantum computers simulated a 12,635-atom protein with Cleveland Clinic and RIKEN, 40 times larger than anything attempted six months prior. After 30 years of promises, quantum advantage arrived. Here is what actually changed.

3,000× speedup over best classical (May 6 2026) 12,635-atom protein simulated (May 5 2026) 120 qubits, 10,000+ two-qubit gates +3

Read full story →

Spotify Reliability

Spotify Changed a Filter Order in Their Proxy — Then Every Server in the World Crashed at Once

On April 16, 2025, Spotify's engineering team made a change they deemed low risk: reordering the custom filters inside their Envoy Proxy perimeter. They applied it to all regions simultaneously. Within two minutes, every Envoy instance worldwide had crashed. And then the restart loop began — a loop Kubernetes itself was powering, killing each new server as fast as it came back up. 675 million users couldn't load the app. Asia Pacific stayed up, and the reason why told the engineers exactly what was broken.

12:18–15:45 UTC (3h 27min) 675M MAU affected 48,000+ Downdetector peak reports +3

Read full story →

Airbnb Databases

Airbnb's Fraud Detection Runs on a Graph of 7 Billion Nodes — Here's Why They Rebuilt It From Scratch

Airbnb's identity graph connects 7 billion nodes and 11 billion edges — every user, every device, every listing, every relationship that might reveal a fraudster trying to create a duplicate account or collude on a fake transaction. The third-party vendor powering it required periodic manual reboots to stay stable. Queries that needed 8 hops of graph traversal were hitting 5-second P99 latencies. In 2024, a small team rebuilt the entire thing internally. The results were not incremental.

7B nodes, 11B edges 5M new edges/day P99 read: 5.0s → 2.5s (-49%) +3

Read full story →

Google · Distributed Systems

Google's Own Cleanup Job Crashed Cloud Services Across 4 Continents — and Then Made Recovery Worse

The Story

On May 29, 2025, a new feature was added to Service Control for additional quota policy checks. The issue with this change was that it did not have appropriate error handling nor was it feature flag protected. Without the appropriate error handling, the null pointer caused the binary to crash.

— Google Cloud — Official Incident Report, June 14, 2025

Service Control is not a product you've heard of. It doesn't have a marketing page or a conference talk. It exists in the infrastructure layer beneath everything else — the system that authorizes every API request across Google Cloud and Google Workspace before that request is allowed to proceed. If you call the Cloud Storage API, Service Control checks your quota. If you authenticate with Google IAM, Service Control validates your policy. If your app on Google Cloud makes any call to any Google service, Service Control is in the critical path. It is, in the most literal sense, the gatekeeper of the entire platform.

When Service Control crashed on June 12, 2025, it didn't just take down one service. It took down the authorization layer for every service. API calls returned 503 errors not because the underlying services had failed, but because the gatekeeper wasn't there to let them through. Compute Engine instances were running. Cloud Storage buckets were intact. BigQuery jobs were ready to execute. None of it mattered — because without Service Control, nothing could be authorized, and nothing unauthorized can proceed in a correctly secured cloud platform.

WHAT SERVICE CONTROL ACTUALLY DOES

Google Cloud's Service Control system performs three functions on every API request: authentication (is this requester who they claim to be?), authorization (are they allowed to perform this operation?), and quota enforcement (have they exceeded their usage limits?). It processes these checks at massive scale across every region — billions of API calls per day — using policy metadata stored in and synchronized across Spanner, Google's globally distributed database. The May 29 code change was adding more sophisticated quota checking logic to this pipeline. The change worked correctly in every scenario that was tested. The scenario that wasn't tested was the one that appeared on June 12.

Problem

May 29: Code Deployed — Bug Present, But Invisible

Google engineers deployed new quota policy checking code to Service Control. The deployment went through the standard region-by-region rollout and passed all checks. But the new code path had two critical gaps: no error handling for null values, and no feature flag to disable it if something went wrong. The bug was invisible during rollout because the problematic code path could only be triggered by a specific type of policy input — blank fields in the policy metadata. That input hadn't appeared during rollout. The binary was now running in every region with a loaded trap, waiting for the right trigger.

Cause

June 12, 10:45 AM PDT: The Policy Update That Pulled the Trigger

An automated system inserted a routine policy change into the regional Spanner tables that Service Control uses for policy metadata. The policy update contained unintended blank fields — values that should have been populated but weren't. Because quota management is global, the Spanner replication engine distributed this metadata worldwide within seconds. Every Service Control binary in every region hit the new code path, encountered the null values, and threw a null pointer exception. Without error handling, the exception crashed the binary. Service Control was dead globally.

Solution

The SRE Response: Diagnosis in 10 Minutes, Red Button in 40

Google's Site Reliability Engineering team began triaging within two minutes of the first alert. They identified the root cause — the null pointer exception in the new quota checking code path — within 10 minutes. Engineers deployed a 'red button' kill switch within 40 minutes to disable the problematic serving path. Most regions began recovering within two hours. But us-central1, Google's largest region, hit a second problem: the recovery itself.

Result

The Herd Effect: When Recovery Made Things Worse

As Service Control instances restarted in us-central1 after the red button was deployed, they all simultaneously reached for the regional Spanner database to load their policy metadata. Hundreds of instances, all restarting at the same moment, all hitting Spanner at the same time, with no randomization in their startup sequence. The Spanner database — which had been handling steady-state read traffic fine — was overwhelmed by the simultaneous burst. Service Control couldn't load its policies, which meant it couldn't restart properly, which meant it kept trying, which kept hitting Spanner. The recovery created a herd effect that prolonged the outage in us-central1 by more than two hours beyond when other regions had stabilized. Full resolution across all services wasn't complete until 18:18 PDT — more than seven hours after the incident began.

Google's own Cloud Service Health dashboard went down during the incident — the monitoring system that customers rely on to track outage status was itself affected by the outage it was supposed to report. Engineers and customers trying to understand what was happening couldn't access the standard communication channel. A status page that goes down during the incident it's supposed to report is a monitoring anti-pattern at its most consequential.

What Went Dark: The Third-Order Cascade

The blast radius of the June 12 outage had three concentric rings. The innermost ring was Google's own services: Google Cloud Platform APIs, Google Workspace (Gmail, Calendar, Drive, Docs, Meet), IAM, Cloud Storage, Compute Engine, BigQuery, Cloud SQL, Cloud Spanner, Vertex AI, Cloud Monitoring. The second ring was companies building directly on GCP — Spotify, Snapchat, Fitbit, Replit, GitLab, Shopify, Character.AI, Cursor — whose applications were unable to authorize any backend calls. The third ring was the one that made this incident uniquely instructive: companies that depend on Cloudflare, which depends on Google Cloud. Cloudflare — itself one of the internet's core infrastructure providers — uses Google Cloud for some of its backend operations. When Google Cloud's Service Control failed, Cloudflare experienced partial degradation, which in turn degraded Discord, Twitch, and other services that had built on top of Cloudflare. This is third-order cascading failure: Google fails → Cloudflare degrades → Discord goes down. Discord's users had no idea their outage had anything to do with a null pointer exception in a Google quota management system.

The three-ring cascade of the June 12, 2025 Google Cloud outage — and the dependency chain that connected them

Failure Ring	What Failed	Why
First: Google's own infrastructure	Cloud IAM, Compute Engine, Cloud Storage, BigQuery, Cloud SQL, Cloud Spanner, Vertex AI, Cloud Monitoring, Google Workspace (Gmail, Calendar, Drive, Docs, Meet)	Service Control — the authorization gateway — crashed globally, blocking all API requests across GCP and Workspace
Second: Direct GCP customers	Spotify (~46K outage reports), Snapchat, Fitbit, Replit, GitLab, Shopify, Character.AI, Cursor, Perplexity AI	Applications built on GCP couldn't authorize any backend calls — services appeared down to users even though underlying compute was running
Third: Cloudflare and its customers	Cloudflare (partial degradation), Discord, Twitch	Cloudflare uses Google Cloud for certain backend operations; when those degraded, Cloudflare's services partially degraded, cascading to Cloudflare's own customers

The Dormant Trap: Why Staged Rollouts Didn't Catch This

Google's staged, region-by-region rollout is exactly the right practice for catching bugs introduced by new deployments. It worked correctly for 14 days — no failures appeared during the May 29 rollout because the failure condition required specific policy data (blank fields) that hadn't yet been inserted. The bug was a dormant trap: present in production, but invisible until the exact trigger arrived. This is a class of bug that staged rollouts are structurally unable to catch — because the rollout environment and the trigger environment are separated by two weeks and an automated policy change that nobody controlled. The only defenses against dormant traps are error handling (so the crash doesn't happen when the trigger arrives) and feature flags (so the code path can be disabled immediately when the trigger produces unexpected behavior). The May 29 change had neither.

10 min

Time for Google's SRE team to identify the root cause — null pointer exception in the new quota checking code path — from the first alert at 10:49 AM PDT on June 12

40 min

Time to deploy the 'red button' kill switch that disabled the problematic Service Control serving path and allowed most regions to begin recovery

7+ hrs

Total outage duration — most regions recovered within 2 hours, but the herd effect in us-central1 extended full resolution to 18:18 PDT

50+

Google Cloud services affected, including all core infrastructure APIs, all Google Workspace products, and all AI/ML services including Vertex AI

The Fix

Google's Response: Five Commitments After the Outage

Google's incident report, published June 14, 2025, outlined specific remediation steps across five categories. Each addresses a distinct failure mode that either caused the outage or made it worse than it needed to be.

Google's five-category post-incident remediation plan, derived from the official June 14, 2025 incident report

Failure Mode	What Happened	Google's Fix
Missing error handling	The new quota checking code had no null-safety — when blank fields appeared, a null pointer exception crashed the binary	Mandatory null-safe code patterns for all Service Control code paths, with additional static analysis to catch null pointer vulnerabilities before deployment
No feature flag	Without a feature flag, the new code path could not be disabled without a full binary redeployment — adding 30+ minutes to initial response time	Feature flag protection required for all new code paths in Service Control — a flag would have allowed the problematic path to be disabled within seconds, before most regions crashed
Herd effect during recovery	Hundreds of Service Control instances restarting simultaneously all hit Spanner at the same time, overwhelming it and prolonging the us-central1 outage by 2+ hours	Randomized exponential backoff on Service Control startup — instances restart with jittered delays so Spanner load is distributed over time rather than concentrated in a burst
Status page availability	Google's Cloud Service Health dashboard went down during the outage, removing the primary customer communication channel	Decoupled status infrastructure — the status page must be architecturally independent of the services it monitors, with its own Service Control dependency removed
Service Control architecture	Service Control is a monolithic regional binary — a crash in Service Control takes down all API authorization for the entire region simultaneously	Modularize Service Control's architecture — isolate the quota checking component so a crash in quota logic does not crash the authentication and authorization components

The Feature Flag That Would Have Saved Seven Hours

The most consequential missing safeguard in the June 12 outage was the absence of a feature flag on the new quota checking code path. A feature flag — a configuration switch that enables or disables a code path without a redeployment — would have changed the incident timeline dramatically. When the null pointer exceptions began firing at 10:49 AM PDT, engineers with a feature flag could have disabled the new code path across all regions within seconds or minutes, before the crash had spread globally. Without a feature flag, the only option was a red-button kill switch that required a new binary deployment — a process that took 40 minutes and still left the herd effect problem during restart. 40 minutes of global Service Control outage versus seconds of a feature flag toggle. Google's own incident report acknowledges this directly: 'If this had been flag protected, the issue would have been caught in staging.' The cost of not having a feature flag was measured in hundreds of millions of users unable to access their services for seven hours.

The Herd Effect: A Recovery Anti-Pattern With a Known Fix

The herd effect that prolonged the us-central1 outage is not a new problem. It has been documented since the earliest days of distributed systems: when many clients restart simultaneously after a shared dependency recovers, they all connect simultaneously and overwhelm the dependency, preventing it from returning to steady state. The canonical solution — randomized exponential backoff — is equally well-documented and simple: when restarting, add a random delay so clients stagger their reconnection attempts over a time window rather than clustering them at a single instant. Every Service Control instance waiting exactly zero milliseconds before hitting Spanner on restart is the problem. Service Control instances waiting a random delay between 0 and 30 seconds before hitting Spanner on restart is the solution. Google committed to implementing this. The fact that it required an outage to prompt the implementation is a reminder that known fixes for known problems often go unimplemented until the cost of not implementing them is paid in production.

MTTD VS DURATION: WHAT THE NUMBERS ACTUALLY TELL YOU

Google's SRE team began triaging within two minutes of the first alert. This is elite incident response. The MTTD (Mean Time to Detect) was near-instantaneous, and the root cause diagnosis took 10 minutes. These are remarkable numbers for a global infrastructure failure of this complexity. The lesson is not that Google's response was slow — it was fast. The lesson is that even elite incident response cannot compensate for missing preventative safeguards. Feature flags, error handling, and randomized backoff would have prevented or dramatically shortened the outage before any human had time to respond. The SRE team's quality is demonstrated by the 10-minute diagnosis. The systems quality gap is demonstrated by the 7-hour duration.

The Broader Lesson: Cleanup Operations Are the Hardest Code to Get Right

The June 12 outage shares an important structural pattern with the October 2025 AWS DynamoDB incident: the trigger was not a complex new feature or an ambitious architectural change. It was a routine operation — in AWS's case, a cleanup job that deleted stale DNS plans; in Google's case, an automated policy update that inserted routine quota metadata. Routine operations are the hardest to protect against because they're not treated with the same scrutiny as new features. A new feature gets code review, testing, staged rollout, and monitoring. A routine automated policy update is assumed to be safe because it's been running correctly for months. But when the underlying system has changed — when new code is now in the critical path that couldn't handle what the routine operation produces — the routine operation becomes the trigger for a catastrophic failure. The implication is uncomfortable: every automated operation that modifies system-critical metadata must be treated as a potential trigger for any latent bugs in the code that consumes that metadata.

Architecture

Service Control sits at the intersection of every API request Google Cloud processes. Understanding how it failed — and why the failure spread so quickly and recovered so slowly — requires understanding three things: the role of Spanner as the global policy data store, the absence of safe failure handling in the new code path, and the herd effect as a predictable consequence of synchronized restart under load.

Normal Flow vs. June 12 Failure: What Service Control Does on Every Request

flowchart TD subgraph normal["Normal API Request Flow"] req["API Request"] --> sc_auth["Service Control\nAuthenticate"] sc_auth --> sc_quota["Service Control\nQuota Check"] sc_quota --> sc_policy["Read Policy from Spanner"] sc_policy --> allow["Request Authorized ✓"] allow --> service["GCP Service Executes"] end subgraph failure["June 12: Failure Flow"] req2["API Request"] --> sc_crash["Service Control\nLoads quota policy"] sc_crash --> null_ptr["Blank field in policy →\nNull Pointer Exception 💥"] null_ptr --> crash["Binary Crashes"] crash --> err503["503 Error returned\nto caller"] err503 --> down["All GCP APIs\ninaccessible"] end style null_ptr fill:#ef4444,color:#ffffff style crash fill:#ef4444,color:#ffffff style down fill:#ef4444,color:#ffffff

The Herd Effect: Why Us-Central1 Recovery Took 2+ Extra Hours

sequenceDiagram participant SC1 as Service Control Instance 1 participant SC2 as Service Control Instance 2 participant SCN as Service Control Instance N participant Spanner as Regional Spanner DB Note over SC1,SCN: Red button deployed — all instances restart SC1->>Spanner: Load policy metadata (T+0s) SC2->>Spanner: Load policy metadata (T+0s) SCN->>Spanner: Load policy metadata (T+0s) Note over Spanner: Overwhelmed — hundreds of simultaneous reads Spanner-->>SC1: Timeout ✗ Spanner-->>SC2: Timeout ✗ Spanner-->>SCN: Timeout ✗ Note over SC1,SCN: Instances retry — still all simultaneously SC1->>Spanner: Retry (T+5s) SC2->>Spanner: Retry (T+5s) SCN->>Spanner: Retry (T+5s) Note over Spanner: Still overwhelmed — herd effect continues Note over SC1,SCN: Fix: randomized exponential backoff\n(T+random[0..30s]) staggers load

THE GLOBAL SPANNER REPLICATION TRAP

The reason the June 12 failure was global rather than regional was Spanner's design strength working against Google in this case. Spanner is Google's globally distributed database, engineered to replicate data to all regions in real time — typically within seconds. This replication is what makes Spanner so powerful for global consistency. On June 12, it was what made the failure instantaneous and universal. When the automated system inserted the policy update with blank fields into the regional Spanner tables, Spanner replicated that policy data to every region within seconds. Every Service Control instance in every region hit the null pointer at essentially the same moment. There was no regional staging, no propagation delay, no opportunity for an alert to fire in one region before the failure had spread to all others. The same architecture that gives Spanner its global consistency guarantee gave this bug its global blast radius.

The Status Page That Went Dark

Google's Cloud Service Health dashboard — the system that customers rely on to understand what Google services are experiencing — went offline during the June 12 outage. This happened because the status infrastructure shared a dependency on the same Google Cloud services that were failing. A status page that fails during a widespread outage is not just unhelpful — it is actively harmful. Customers experiencing failures couldn't access the standard channel to confirm they weren't the source of the problem, couldn't track recovery progress, and couldn't communicate accurate information to their own stakeholders. The status page being down created a second outage: an outage of information. Google's commitment to decoupling status infrastructure from the services it monitors is not a nice-to-have. It is the baseline requirement for maintaining communication with customers during incidents.

Lessons

The June 12, 2025 Google Cloud outage carries lessons that apply to every engineering team — from startups deploying to a single cloud region to hyperscalers managing global infrastructure. The failure modes are not exotic. They are the canonical patterns of distributed systems engineering: missing error handling, absent feature flags, synchronized recovery storms. The scale is Google's. The lessons belong to everyone.

Error handling is not optional for code that runs in the critical path of a globally distributed system. The null pointer exception that crashed Service Control was caused by a missing two-line null check. Any code path that processes external data — data that arrives from an automated system and could contain unexpected values — must explicitly handle the unexpected cases. The failure condition was not unpredictable. Blank fields in policy metadata is a predictable input variation. The code should have anticipated it.

on infrastructure code are not optional — they are the minimum viable safety mechanism for any code that processes global-scale policy data. The difference between 'feature flag enabled, issue caught in staging' and 'no feature flag, 7-hour global outage' is one line of configuration. Every new code path in a globally deployed binary should require a feature flag as a deployment prerequisite, not a nice-to-have.

The herd effect — the in its classic form — is a known failure mode with a known fix. Randomized exponential backoff on service restart is the standard solution, and it has been documented for decades. The fact that Service Control lacked it is a reminder that well-known fixes go unimplemented until the cost of not implementing them becomes acute. Build randomized backoff into any service that has a shared dependency it needs to reconnect to after a failure.

Your monitoring infrastructure must be architecturally independent of the services it monitors. A status page that goes down during an outage is a second outage layered on top of the first. This means no shared dependencies between the monitoring stack and the application stack, separate cloud regions or providers for status infrastructure, and tested independence — verifying that a full outage of the primary platform does not affect the observability layer. This is not easy to build, but it is essential. The moment customers need status information most is exactly the moment a shared-dependency status page is most likely to be unavailable.

Third-order cascade failures are invisible until they happen. Discord's users had no idea their outage originated in a null pointer exception in Google's quota management code. The dependency chain was opaque: Discord → Cloudflare → Google Cloud → Service Control → policy metadata blank fields. Every engineering team should map their dependency chain at least two levels deep — not just 'we use Cloudflare' but 'Cloudflare uses Google Cloud, and a Google Cloud outage of sufficient scope will reach us through Cloudflare.' This mapping informs both architectural decisions and incident response communication.

The Modularization Commitment

Google's most architecturally significant post-incident commitment was to modularize Service Control — isolating the quota checking component so that a failure in quota logic cannot crash the authentication and authorization components. Currently, Service Control is a single binary: a null pointer in any component crashes everything. In a modularized architecture, the quota checking subsystem can crash or be restarted without affecting authentication. This is the same architectural move GitHub is making with service isolation — and it is the right call for the same reason: blast radius containment. The cost of modularizing a critical monolithic binary is high. The cost of not doing it is measured in seven-hour global outages.

THE IRONY OF THE RECOVERY MAKING THINGS WORSE

The most memorable aspect of the June 12 outage is the herd effect: the act of fixing the crash created a new problem that extended the outage by hours. This pattern — where the recovery mechanism amplifies the damage — appears across some of the most instructive engineering post-mortems in the industry. Netflix built Chaos Monkey partly because they discovered that their graceful degradation paths, when triggered simultaneously by a real failure, could overload the systems they were supposed to protect. AWS's October 2025 DynamoDB outage extended 12 extra hours because the automatic failover mechanisms were making the DNS inconsistency worse. And Google's June 2025 Service Control outage extended beyond the crash itself because hundreds of instances restarting simultaneously overwhelmed the Spanner database they all depended on. The lesson that runs through all three: design recovery paths with the same care you design primary paths — because recovery paths are the code that runs when everything is already wrong.

Google deployed a null pointer exception on May 29, and it sat patiently in production for two weeks waiting for exactly the wrong policy update to arrive — like a trapdoor that looks like a floor until someone with the right keycard walks over it. Then it took down Spotify, Discord, Snapchat, Cloudflare, and Google's own status page simultaneously, and when engineers hit the kill switch to fix it, the restart surge broke the database they were restarting into. There is a version of this story where the lesson is 'write a null check.' There is a more useful version where the lesson is: the most dangerous code in your system is the code that runs perfectly for two weeks before it fails catastrophically, because you will have completely forgotten it's there by the time it does.TechLogStack — built at scale, broken in public, rebuilt by engineers