The cloud is somewhat invisible until the bill arrives. We build an application, we test one APIwe leave a budget set up and continue with our lives thinking that the system will warn if something goes out of plan. The problem is that warn is not the same as stop. And that difference, which may seem like a technical nuance, is exactly what separates a controlled test from a huge debt when a key is exposed, someone uses it and the charges begin to accumulate without us seeing it.
That’s what he claims happened to Venturaxi, a Reddit user who told his story. According to GRYOnline.pl accountwent to sleep with a budget alert set to 10 Australian dollars (about 7.15 US dollars) and woke up to a bill of 25,672.86 Australian dollars in Google Cloud, just over 18,000 US dollars at the exchange rate. The user maintains that, during the night, some 60,000 unauthorized requests were made through an API key that he could not initially identify. The story, it should be stressed from the beginning, comes from his public testimony, not from an independent investigation.
An alert may sound as the bill continues to grow
The key is in a nuance that Google explains in its own documentation on budgets: a budget alert does not stop consumption, it only sends notifications when certain thresholds are reached. That is, it serves to inform us that the expense is close to or exceeds a figure, but it does not work as a switch that automatically cuts off the service. In normal use it may be enough to react in time. In a scenario with automated requests and a compromised key, however, the counter can continue running even though the notice has already been sent.
The most delicate part of this story is better understood if we leave the jargon behind for a moment. An API key is, in practical terms, a key that allows an application to identify itself to a service and say: I am this account, let me in. As long as it is well stored, it fulfills its function. If it is exposed, another person can use it to generate requests that will be charged to that account. Google recommends protecting these keys, rotating them, and restricting them by domain or IP. Venturaxi claims that the password used came from an old gardening app created for his mother in Cloud Run.
There appears one of the most confusing parts of the case. The user explains that, at first, he did not find that key in the usual list of AI Studio keys, although Google indicated it as the source of consumption. Later, saccording to his update on Redditmanaged to locate it in another section of the Google Cloud panel thanks to another user’s tip. The key matched by the visible name, not for the full keywhich made it difficult to follow the trail.
The most frustrating part came when he tried to ask for help. In his publication, he says that he first dealt with automated agents, then with different support members, and later with escalation managers, without having a single person to follow the case from start to finish for days. He also maintains that, as the requests continued, he had to insist several times that his account had been compromised before getting an escalation.
The other delicate point is at the account level. Venturaxi maintains that its billing account was automatically raised at a higher level due to its age and payment history, although the project affected was much more recent. According to the explanation he says he received from Google, this change responded to a relationship of trust associated with the account, not necessarily the specific project. The result, always according to his story, was that he was able to consume more than he expected, without clear notification or specific consent.
The case has had a long history precisely because it does not appear isolated in the conversation. On Reddit, other users assure having experienced similar scares with unexpected charges, compromised passwords or difficult-to-resolve billing disputes. That doesn’t make every story verified evidence, but it gives us an idea of what might be happening. At the same time, it helps to understand why venturaxi’s post has resonated: it points to a concern shared by several developers.
According to the developer, the bill of 25,672.86 Australian dollars tfinished being canceled and Google would also have returned the $9,800 that, according to its story, had been distributed in five increasing collection attempts. The economic outcome, therefore, would have been resolved in their favor. Even so, the user maintains that he still had no clear answers about several points of the incident: how the key was exposed, what activated the account level jump or where exactly the traffic came from.
The invoice of 25,672.86 Australian dollars ended up being canceled
The most striking thing about this story is not only the number, but how easy it is to understand how something like this can get out of control. We are not talking about a large deployment or a huge infrastructure, but rather a key, an old app and an alert that did not do what many users could imagine. There is the warning for anyone working with these services, even in small tests: it is worth reviewing what is left open, what limits are real and what tools only inform us that the problem is already underway.
Images | Xataka with Grok | charlesdeluvio
In Xataka | You get a job offer from Spotify and another from Disney. What’s behind it is a phishing scam waiting
GIPHY App Key not set. Please check settings