Google Warned Developer of Hijacked Cloud Account, Then Billed Him $11,000 for AI Image Charges He Never Made

Developer Charles Jones received a Google alert about a compromised Firebase service account key, swiftly revoked it and regained access. Yet the company refused to forgive $11,089 in unauthorized Gemini image generation charges run up by attackers. His case highlights ongoing friction in Google's shared responsibility model and weak spending safeguards.
Google Warned Developer of Hijacked Cloud Account, Then Billed Him $11,000 for AI Image Charges He Never Made
Written by Ava Callegari

Charles Jones woke up to a nightmare in early June. Over just 48 hours, his Google Cloud account racked up $11,089.77 in charges. Most of the tab came from heavy use of Gemini image-generation models. Jones runs programmatic SEO and insurance websites as a solo developer. He has no workflows that create AI images.

Google noticed something amiss. The company suspended his account on June 7. Its notification declared the account “was engaged in abusive activity consistent with hijacked resources.” The root cause pointed to a compromised firebase-adminsdk service account key. Jones shared the documentation of his support exchanges with The Register.

He followed every instruction. Jones reported the suspected compromise. He disabled the service account. He revoked the exposed key. Google reinstated his account access. Yet the billing team refused to wipe the charges. Again and again.

This case exposes a pattern. Developers face sudden, massive bills from stolen API keys or service accounts. They scramble to contain the breach only to battle Google over payment. The company’s own warnings about hijacking clash with its refusal to absorb the costs.

Jones posed a pointed question. “Google’s Trust & Safety was quick to alert me that a service account key was compromised — but I have been given no route, anywhere, to see HOW or WHERE that key was actually exposed. There is no trace, no log path, no forensic detail offered.” He told The Register he alone accessed the VM holding the key. He followed Google’s security advice. Still the burden fell on him to prove innocence.

“So how does a single-access VM produce a leaked service account key.” Jones continued. “And why is the burden on me to prove I secured something Google itself can’t (or won’t) show me how I failed to secure? Google is invoking its Shared Responsibility Model to deny the refund, but that model assumes a customer security failure Google has never demonstrated.”

The Register reached out to Google twice. It asked for explanations on the refund denial and any evidence of customer fault. No response came.

Such incidents surface with troubling frequency. In February a Vietnam-based developer faced more than $82,000 in charges over 48 hours after a Google Cloud API key theft, as The Register reported. A month later another user described over $10,000 in unauthorized Gemini-related fees on Reddit.

Even when card issuers reverse fraudulent charges, Google can still hold customers liable according to its billing resolution guidance. The company maintains that developers bear ultimate responsibility under its shared model. Yet it offers scant transparency when keys leak from its own services or infrastructure.

Jones’s experience highlights deeper flaws. Trust and Safety detects compromise fast enough to send alerts. Billing and support then treat the resulting runaway usage as the customer’s problem. No clear audit trail appears. No logs pinpoint exposure. The developer must prove a negative while racing against accumulating fees.

Google has floated spending controls. It introduced spend caps for select services in private preview. Those caps remain unavailable to most users. API-specific limits do not function as project-wide ceilings. Budget alerts exist but warn that hitting them could delete resources without recourse. In March the company launched experimental project spend caps for the Gemini API. Those caps carry a 10-minute delay during which customers remain responsible for all usage. The system also auto-upgrades accounts to higher tiers with larger limits as payment history builds. Flexible definitions of a “cap,” indeed.

Without effective guards, a single leaked service account key can trigger unbounded liability. Recovery demands opaque appeals. Google faces no obligation to show negligence or produce forensic evidence. The process favors the platform.

Recent community discussions echo the frustration. Google Cloud users have reported similar suspensions labeled ACCOUNT_HIJACKED with urgent business impacts, as seen in Google Cloud Community forums from April. Broader complaints about API key exposures leading to Gemini abuse appeared in security analyses earlier this year. One report noted thousands of public Google API keys gained unintended Gemini access, resulting in data risks and surprise bills reaching five figures.

Jones insists he secured his environment. Only he touched the virtual machine. Recommended practices were followed. The absence of any visibility into the key’s exposure leaves him questioning Google’s infrastructure. Did the compromise originate from a VM misconfiguration? A service account permission creep? An undetected vulnerability in Firebase admin SDK handling? The company provides no answers.

And here’s the rub. Detection works. Alerts fire. But accountability stops at the customer doorstep. Google promotes its AI tools aggressively. It charges premium rates for Gemini image generation. When abuse hits, the economics shift. The developer pays. The platform walks away.

Other cloud providers face similar complaints. Yet Google’s dominance in developer tools, Firebase, and now AI APIs amplifies the stakes. Solo operators and small teams lack negotiating power. They cannot absorb five-figure hits. Many simply pay to avoid account loss and move to alternative providers. Some fight in forums. Few prevail.

The pattern suggests systemic gaps. Service account keys, meant for machine-to-machine authentication, often hold broad permissions. When they leak through code repositories, client-side exposure, or internal Google processes, the blast radius expands quickly. Gemini’s image models appear especially attractive to fraudsters seeking to generate bulk content at someone else’s expense.

Jones revoked the key promptly. He cleaned up. Access returned. The bill stands. His case, detailed publicly on July 3, has already drawn attention across cybersecurity discussions on X, where multiple accounts shared the original reporting within hours of publication.

Google’s silence leaves open critical questions. How many similar incidents go unreported? What volume of Gemini abuse stems from compromised credentials versus outright fraud? Does the company quietly write off some charges while pursuing others? Without transparency, customers operate in the dark.

For enterprise users with dedicated account managers the situation may differ. For independent developers like Jones it feels arbitrary. One hand warns of hijacking. The other demands payment for the attacker’s activity. Coordination between security and billing teams appears absent.

Until Google delivers genuine spend caps without loopholes, forensic visibility into credential compromises, and fair appeals that require evidence of fault, these shocks will continue. Developers will weigh the convenience of Google Cloud against the risk of financial ruin from events beyond their control. Some will leave. Others will add layers of monitoring and least-privilege controls at extra cost and complexity.

Jones’s story stands as a cautionary example. He did what the platform asked. The warning arrived. The cleanup succeeded. The charges remained. In the contest between rapid detection and meaningful customer protection, Google’s current approach favors the former while leaving the latter to chance. And for solo developers, chance carries a steep price tag.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us