Enterprise technology teams have grown accustomed to cloud bills that arrive with some predictability. That assumption cracked this month. Customers of Amazon Web Services and Google Cloud woke up to invoices reaching tens of thousands of dollars for AI workloads they never authorized or never expected to scale so fast.
One Australian developer set a $250 spending limit yet faced a $10,000 charge overnight. Another watched his credit card get declined while charges continued to mount. On AWS, a user who anticipated hundreds in costs for Claude model inference instead received a bill for more than $30,000. The incidents share a common thread. Providers pushed AI services hard. Their billing safeguards did not keep pace.
The Register first highlighted the pattern in a pair of detailed reports. In one case, attackers exploited publicly exposed Google Maps API keys. Those keys, long encouraged for front-end use, suddenly granted access to expensive Gemini models such as Veo 3 for video generation and image-producing tools. Costs exploded within minutes.
Rod Danan, CEO of Prentus, followed Google’s earlier guidance to expose his Maps key. His monthly bills had stayed under $50. Then came alerts for $3,000, followed by another $5,000 in five minutes. The total hit $10,138 for services his application never used. “It’s just ‘Boom, we just charged you $3,000.’ I’m like, ‘What the hell’s going on?'” Danan told the publication. Determining the source proved difficult. Support responses lagged.
Isuru Fonseka, a Sydney-based developer with a decade on Google Cloud, set a $250 cap on a side project. The account auto-upgraded to a $100,000 tier after the attacker racked up enough spend. His bill reached about $12,000 USD before partial declines by his card issuer. “I just woke up to a couple of emails where my credit card provider declined a number of transactions,” Fonseka said. He noted the system could detect usage enough to charge the card but not enough to show details promptly.
Security researcher Joe Leon of Truffle Security had flagged the vulnerability months earlier. In February he warned that thousands of “A-I-Z-A” prefixed keys intended for Maps could now call Gemini APIs. Attackers scraped them from public repositories. Google responded by introducing new key types and requiring restrictions. Yet the auto-upgrade mechanism for spending tiers remained. An account that spends $1,000 lifetime and sits open more than 30 days qualifies for dramatically higher limits without explicit consent.
Google told affected users the tier increases were triggered by the attacker’s own usage meeting qualification criteria. The company initially declined refunds in some cases, citing no clear evidence of fraud. After The Register published customer accounts, Google reversed charges for both Danan and Fonseka. A follow-up story confirmed the reimbursements but noted the company still defends automatic budget expansion for what it calls developer flexibility. “We take reports of credential abuse and the financial security of our customers extremely seriously,” Google stated.
The AWS episode played out differently yet produced similar sticker shock. A customer ran inference on Anthropic’s Claude Opus model through Amazon Bedrock. Charges routed through AWS Marketplace. The user had enabled AWS Cost Anomaly Detection with thresholds set to flag anything over $100 absolute and 40 percent relative increase. No alerts arrived. AWS Activate credits covered the first $8,026 before the system switched to invoiced billing. The final Bedrock inference charge alone reached $30,141.
“The credits masking made it worse,” the customer told The Register. “There was no notification when credits were exhausted – the charges simply started accumulating as invoiced amounts.” Corey Quinn, cloud cost commentator, observed that Marketplace billing for Bedrock models sits outside the anomaly detection tool. AWS documentation notes the limitation, yet many users remain unaware until the invoice lands.
AWS responded that customers have multiple tools including AWS Budgets, which does cover Marketplace spend. The company has no immediate plans to fold Marketplace transactions into Cost Anomaly Detection. Support teams point users to documentation and offer case-by-case review. But the lack of proactive stops mirrors the Google experience. Both providers can see usage in real time. Neither halted the accrual the way a credit card company flags unusual purchases.
These stories surfaced against a backdrop of explosive AI-driven cloud growth. Alphabet reported Google Cloud revenue of $20.03 billion in the first quarter of 2026, up 63 percent year over year, outpacing AWS and Azure. Analysts tied the surge to demand for Gemini and related infrastructure. CNBC noted all three hyperscalers beat estimates on AI momentum. Yet that same demand creates the conditions for runaway costs when controls fail.
Earlier incidents foreshadowed the problem. In April a Google Cloud user reported an $18,000 bill despite a $7 daily budget after a forgotten public API key enabled 60,000 requests. Tom’s Hardware detailed how nine safety features sat disabled by default. The pattern repeats. Teams treat AI APIs like low-cost experiments. Attackers treat them as free compute subsidized by someone else’s budget.
Broader industry data shows cloud infrastructure spending projected near $725 billion this year, with the majority aimed at AI. Hyperscalers race to build capacity while customers grapple with unpredictable bills. Some organizations now demand dedicated contracts with hard caps before touching frontier models. Others route all AI traffic through proxy layers that enforce token budgets and model routing to cheaper alternatives for routine tasks.
But such discipline is not universal. Startups and individual developers, drawn by generous free tiers and marketing that emphasizes productivity gains, often discover the downside only after damage occurs. Reddit threads fill with accounts of accounts that once cost $50 a month now generating five-figure charges in days. One user described the moment of discovery as “a rough, rough way to start the day.”
Neither AWS nor Google has announced fundamental changes to the billing logic at the heart of these surprises. Google continues to favor auto-expansion for what it sees as improved developer experience. AWS maintains that its suite of budgeting tools suffices when used correctly. Customers counter that the burden should not fall entirely on them. Banks don’t let overdrafts run unchecked. Streaming services cut off unusual streams. Why, they ask, can’t cloud platforms do the same for inference calls that burn thousands per hour?
The question grows louder as AI agents and autonomous workflows proliferate. These systems consume tokens at rates difficult to forecast. A single misconfigured loop or compromised key can generate bills faster than humans can react. Security experts recommend rotating keys frequently, restricting API scopes to specific services and IP ranges, and monitoring usage with third-party tools that operate outside provider dashboards.
Even then, surprises persist. Marketplace billing quirks, delayed reconciliation that can take 28 days, and the sheer velocity of model calls leave gaps. Industry observers expect pressure to mount for regulatory-style protections or at minimum clearer contractual guarantees around spending limits. Until then, the advice from those already burned is blunt. Treat every AI API call as if it carries the potential to empty the bank account. Because in practice, sometimes it does.


WebProNews is an iEntry Publication