By rssfeeds-admin 
Between February 11 and 12, attackers heavily abused the team’s credentials to access the “Gemini 3 Pro Image” and “Gemini 3 Pro Text” endpoints, causing a massive 455x spike over their normal $180 monthly bill.
The developers suspect the breach coincided with a broader trend of foreign threat actors aggressively scraping U.S. AI models for data distillation.
Despite immediately deleting the compromised key, rotating credentials, and locking down their Identity and Access Management (IAM) settings, the team hit a wall with customer support.
Essential Google Cloud Security Checklist
Google Cloud representatives cited the “Shared Responsibility Model,” stating the developers are ultimately liable for the security of their own credentials. The root of this problem often lies in insecure defaults.
Security firm Truffle Security recently revealed that nearly 3,000 legacy Google API keys used for basic services such as Google Maps were exposed on public websites.
Because Google Cloud keys default to “Unrestricted,” simply enabling the Gemini API in a project instantly turns those old, public keys into powerful AI credentials without the owner’s knowledge
| Security Control | Google Cloud Feature | Action Required |
|---|---|---|
| Hard Spending Limits | Cloud Billing Budgets | Set alerts (50%, 90%, 100%) and auto-disable billing at cap. |
| Key Scoping | API Key Restrictions | Restrict keys to specific APIs and limit by IP or referrer. |
| Access Control | IAM & Service Accounts | Use short-lived tokens or Workload Identity instead of long-lived API keys. |
| API Quota Caps | API & Services Quotas | Reduce RPM/RPD limits to match actual Gemini usage. |
With a valid key, attackers can not only rack up massive LLM-usage bills but also access uploaded files and cached data within the victim’s account.
Unlike some platforms, Google Cloud does not default to automatic hard billing cut-offs when usage spikes.
Developers must manually configure strict guardrails to prevent automated bots from draining accounts in minutes. While Google’s initial response to billing disputes is often strict, victims should not give up immediately.
Previous cases show that Google has waived massive API bills, including a student’s $55,444 charge, when users provided overwhelming evidence.
This included detailed usage logs, police reports, and proof identifying the exact source of the leaked key, as described in a Reddit post about the incident.
Google has also started automatically turning off exposed service account keys detected in public GitHub repositories, but this does not protect against keys stolen directly from developer endpoints.
For now, proactive misconfiguration checks remain the only guaranteed defense against catastrophic cloud bills.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Stolen Gemini API Key Turned $180 Bill to $82000 in Two Days appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.