Hi,
I’m posting here to share my incident and ask for guidance, in parallel with a billing support ticket and a reply to the Trust & Safety alert that Google’s automated systems sent me earlier today (case 70638202). I’ve seen recent threads here with the same pattern getting helpful responses from Google staff, so I’m hoping for the same.
What happened
On April 27, 2026, an API key associated with one of my GCP projects (“maslinks”) was abused to generate ~USD 4,368 in Gemini API charges in a single day, 100% on image, video, and TTS generation models. I have never used Gemini image/video/TTS generation in this project for any purpose.
The key was created in 2022 and had been used exclusively for the Safe Browsing API for 3+ years, at very low and stable volume consistent with my legitimate use case. Cloud Monitoring shows this clearly: a flat baseline for 3+ years, then a sudden vertical spike on April 27.
Root cause
The key was inadvertently embedded in a client-side JavaScript bundle by a former employee in October 2022, at a time when keys were widely documented as non-secret billing identifiers (consistent with how Google Maps and Firebase keys were treated in their docs at the time). The repository itself is and has always been private, but the JavaScript asset was deployed publicly during that period, making the key accessible to automated scanners.
The affected JavaScript file stopped being part of our production deployment about 18 months ago as a side effect of a broader, unrelated front-end refactor. We were not aware at that time that the file had ever contained an exposed credential, so the key was not rotated. I only discovered the historical exposure today, while doing forensic analysis through the git history of the repo to find the source of the abuse — by which point the credential had already been captured by an automated scanner during the original public-exposure window.
This is the systemic issue Truffle Security disclosed in February 2026 ( Google API Keys Weren't Secrets. But then Gemini Changed the Rules. ◆ Truffle Security Co. ) and that Google publicly acknowledged.
Detection
Google’s own Cost Anomaly Detection system caught this automatically (expected daily cost ~USD 12, actual ~USD 4,368) and sent me an email alert. The Trust & Safety team also sent a separate compromised-key notification (case 70638202) the same day.
Remediation completed within hours of detection
- Compromised API key deleted
- Generative Language API disabled on the affected project
- Unused APIs (Vertex AI, Cloud Vision) disabled
- GitHub Support ticket opened to purge a residual commit object containing the historical key from the (private) repo’s git reflog
- Per-day quotas configured on Gemini API in another (legitimate) project I use
- Cloud Billing budget alerts configured
- Full credential rotation in progress across all projects
- Payment card frozen at the bank to prevent further unauthorized charges
Evidence available
- Cloud Monitoring metrics: Resource Consumed API, Metric request_count, grouped by credential_id, showing the 3+ year flat baseline and the April 27 spike
- SKU-level cost breakdown in Billing Reports showing 100% of the unauthorized usage on Gemini 3 Pro Image, Gemini 3.1 Flash Image, and Gemini 3.1 flash TTS
- The Cost Anomaly alert email
- Timestamps of all containment actions
What I’m asking
- Confirmation that submitting a billing dispute through GCP Console support is the right primary channel, or whether there’s a faster route for compromised-key cases.
- Whether Google staff monitoring this forum can help nudge cases 70638202 (security) and the parallel billing case toward a coordinated review.
- Any guidance on what additional evidence is most useful for the billing team.
Happy to share screenshots in reply, and I am of course available to provide any additional documentation. Thanks in advance.