A software developer's stolen Gemini API key was used to generate over $82,000 in charges in 48 hours, threatening their business with bankruptcy. The victim has secured their account, but initial feedback from Google suggests the company may enforce payment, citing its Shared Responsibility Model for cloud security.
Affected developers are criticizing Google for lacking basic guardrails, such as spending caps or anomaly freezes, to prevent such catastrophic usage spikes. The article notes that while consumer Gemini accounts have usage caps, business users must proactively set their own quotas and budget alerts within Google's cloud platform.
The main topics covered are a significant financial incident due to API key theft, the ensuing dispute over liability with Google, and calls for improved protective measures from service providers.
Gemini API key thief racks up $82,314 in charges in just two days, victim 'facing bankruptcy' — affected devs call for basic guardrails against 'catastrophic usage anomalies'
Always set billing caps, folks.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
You are now subscribed
Your newsletter sign-up was successful
A Google Gemini user has taken to Reddit “in a state of shock and panic.” The issue is with the most recent bill received by their software development business. Redditor RatonVaquero’s typical monthly spend on Gemini AI services is $180. However, in just 48 hours last month, their account “generated $82,314.44 in charges.” A thief has been using the account to generate oodles of Gemini 3 Pro Images and Texts. If Google doesn’t back down regarding these non-trivial fees from the suspected “stolen Gemini API key,” it will bankrupt the company.
Tragically, locking the door after the horse has bolted, RatonVaquero has now “Deleted the compromised key, Disabled Gemini APIs, Rotated credentials, Enabled 2FA everywhere, Locked down IAM, [and] Opened a support case.” On the latter point, initial feedback from a Google rep they contacted indicates that the charges will probably stick.
From the Redditor’s discussion of their correspondence with Google so far, it looks like the “don’t be evil” company is going to repeatedly cite its ‘Shared Responsibility Model’ for cloud services accounts. I’ve had a quick look at the referenced legal word salad, and I’d guess Google is leaning on the part of its agreement that asks customers to have an authentication system, access policy, and network security in place to protect their API keys, among other things.
Interestingly, though, several Redditors also note that the stolen API key(s) might actually have been there for the taking, and it is Google’s fault for flipping its API key secrecy rules.
Arguing for some ‘mercy,’ RatonVaquero, one of three devs at the affected Mexican development firm, complains that Google doesn’t have “basic guardrails for catastrophic usage anomalies.” The contrast in usage, from a usual $180pcm to $82,000+ in 48 hours, does indeed look like an extreme spike. RatonVaquero also says that there should be features like temporarily freezing services until review and the implementation of per-API spending caps.
A look into this overcharging issue indicates that Personal/consumer Gemini customers can’t accidentally spend more than their flat monthly fee. Instead, they have usage caps. Moving up to Dev/Business Google AI Studio users, they can set Quotas (limiting the number of requests per day or per minute). Meanwhile, Google Cloud (Vertex AI) users can set Budget Alerts to notify them when they reach a certain dollar amount.
RatonVaquero says they will talk again with a Google rep soon, and have filed a cybercrime report with the FBI. Now they are basically hoping for a softening of big G’s stance. They may be able to share the logs of their unusual “455x spike” in usage, and ask for “goodwill credits” as victims of a cybersecurity incident. It is Kafkaesque, but usually a bit of stubborn persistence can help get your case seen by the right people for a more favorable outcome.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
Mark Tyson is a news editor at Tom's Hardware. He enjoys covering the full breadth of PC tech; from business and semiconductor design to products approaching the edge of reason.
-
hotaru251 i feel bad they got to pay for anothers action, however....they should have always had security in place (at least 2fa) and is a lesson they will never forget to do again as being a victim is a painfully deep lesson.Reply
Meridiano
