RSS

Google users fight for refunds as unauthorized API usage bills soar

Bender2 pts0 comments

Google users fight for refunds as unauthorized API usage bills soar

Jump to main content

Search

REG AD

AI + ML

Google users fight for refunds as unauthorized API usage bills soar

'What the hell is going on? It's just draining my money'

O'Ryan Johnson

O'Ryan<br>Johnson

Published<br>wed 13 May 2026 // 00:03 UTC

UPDATED After we published this story, Google reimbursed both of the sources who spoke to us on the record for it, Isuru Fonseka and Rod Danan. But the company has said it will hold fast on its policy of automatically expanding spending limits. Read our followup here.<br>Original story below:<br>Several Google Cloud customers say their API keys have been compromised and used by bad actors to run inferencing workloads using the most expensive video and picture models, leaving them with bills for tens of thousands of dollars and weeks of back-and-forth headaches with the Chocolate Factory as they tried to prove they were not responsible for the mess.

REG AD

The problem is being hashed out on social media, with sites like Reddit collecting stories from Google Cloud users that seem to follow a similar pattern: After months or years paying small monthly bills to Google Cloud for access to tools like Maps, their API keys are discovered, and in minutes they are charged thousands of dollars for API calls to Nano Banana and Veo 3.

REG AD

Google told The Register this is an industry-wide problem and not a security issue specific to Google. It said the vast majority of these incidents happen due to compromised user credentials such as API keys inadvertently leaked on public code repositories like GitHub, and malicious actors who are actively scraping public repositories.<br>Google said it encourages all customers to implement robust security practices, including enabling multi-factor authentication, routinely auditing API keys, and ensuring credentials are never committed to public repositories.<br>But those explanations are complicated by developers and security threat researchers who said there are thousands of accounts which are following Google's own site configuration rules by placing their APIs in a public client.<br>Additionally, one user told The Register they had spending caps in place that should have stopped any bill over $250. Yet according to Google those caps can be automatically upgraded to $100,000 – without user input – if the user has spent a total of $1,000 throughout the life of the account, and the account is more than a month old.<br>'What the hell's going on?'<br>Rod Danan is CEO of Prentus, a company that helps job applicants with interview preparation and tracks job placements for universities. He uses API calls to Google Maps as a part of his platform. For years his bill never topped $50 a month, he told The Register. Then in March he got an email alert from Google saying he was being charged $3,000 and panic took hold.<br>“It’s just ‘Boom, we just charged you $3,000.’ I'm like, ‘What the hell's going on?’ And then you go into the application, like, ‘What is triggering this? What is the source?’ So just determining that is honestly not that simple,” he told The Register. “As I'm searching, five minutes go by and another $5,000 get charged. I’m like ‘What the hell is going on? It's just draining my money.’ ”<br>Despite the spending caps he said he had in place, by the time he shut down the API minutes later, his credit card had been charged $10,138 almost entirely from Veo 3 video generation and Gemini image output tokens, which are services he has never used and have zero connection to his product.

REG AD

Google told him it found no evidence of fraud and has thus far refused to issue a refund. But what makes this especially frustrating for Danan is that he said he was following Google’s advice in exposing the API key in the first place.<br>“You have this Google Maps key, which you know, everyone uses, and the guidance from Google is you're supposed to load it in your front end. So we did that, and all of a sudden they changed the keys so that the Google Maps key, which is exposed publicly, could be used for Gemini, and then they didn't disclose that to customers,” he said. “So then, all of a sudden, I just get multiple emails in a row. It's like $3,000, $5,000, $10,000 charged on your Google account.”<br>In February, security researchers at Truffle Security Co. published an article warning Google users that their Maps API keys were no longer safe to share publicly. For years, if a coffee shop wanted to place its logo and website on Google Maps, the instructions from Google were to download the widget and upload an API key that linked their site to Google Maps, said Joe Leon, the threat researcher who wrote the warning. He told The Register that about three years ago, Google started allowing those same public API keys to also access Google Gemini models.<br>“You have all these people that we’re told to like for Maps, ‘Put this key in public." Now maybe it's them, maybe it's someone else in their organization,...

google said like maps keys told

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.