Hi all,
Posting here in parallel with a billing support ticket because I’ve seen recent threads with similar patterns and would appreciate both community input and visibility from the Google AI team.
Project ID: tecnometria-2025
Incident date: May 2, 2026 (Saturday, holiday weekend in Mexico)
Disputed amount: ~MXN $40,000+ (~USD $2,000) in a few hours
Background
My project has been live on Google Cloud since September 2025 — eight months of clean, predictable usage, with monthly Gemini API spend consistently under MXN $1,000 (~USD $50). No prior incidents, no anomalies, no disputes.
The app is deployed on Vercel and consumes the Gemini API for internal flows. The site is not indexed publicly and serves a small, controlled audience.
What happened
On May 2 (a non-working holiday weekend in Mexico), the API received a coordinated burst of requests over a few hours that escalated charges from a normal monthly baseline of ~MXN $1,000 to over MXN $40,000 — a ~40x jump versus an entire typical month, compressed into a single day. Volume, speed, and timing are categorically inconsistent with anything our team is capable of producing manually, and there is no realistic legitimate-traffic scenario that fits.
A budget alert of MXN $300 was configured on the project. Google Cloud recorded that the threshold was exceeded but did not pause API requests (which I understand is by design, but in this case the practical result was charges scaling 130x past my configured limit while no one was awake to respond).
Possible cause (not confirmed)
I want to be careful here: I cannot prove the exact leak vector with 100% certainty. However, the timing and pattern strongly suggest a possible link to the publicly disclosed Vercel security incident of April 18–19, 2026, in which customer environment variables (where my Gemini API key was stored) were exposed via an OAuth supply chain compromise. Vercel publicly urged customers to rotate keys, and the post-leak attack pattern described by their CEO (“rapid and comprehensive API usage”) closely mirrors what I observed.
References:
- vercel. com /kb/bulletin/vercel-april-2026-security-incident
- techcrunch. com/2026/04/20/app-host-vercel-confirms-security-incident-says-customer-data-was-stolen-via-breach-at-context-ai/
I have no evidence of the key being exposed through any other common vector — it was never present in client-side bundles, public repositories, or shared artifacts. I have followed standard API key handling practices throughout the project.
Mitigation already taken
- Revoked the compromised API key
- Rotated all other credentials stored on Vercel and marked them as “Sensitive”
- Enabled Data Access audit logs for the Generative Language API
- Tightened budget thresholds
Update — Google’s own systems independently flagged this as anomalous
After my initial post, I located two automated alerts that Google Cloud
sent me on May 2 itself, which I had overlooked. They confirm that
Google’s own systems detected the abuse in real time:
- 4:51 AM CST — “150% of budget reached” alert (configured budget:
$300 MXN ) - 9:06 AM CST — “Cost anomaly: Unusual cost spike of $40K on project
tecnometria-2025”
The Cost Anomaly alert reports:
- Total actual cost: MXN $40,266.47
- Expected cost (per Google’s own model): MXN $316.28
- Cost impact: MXN $39,950.19
- Top contributor: Gemini API ($40,222.17 — i.e. virtually 100% of
the spike)
This is an independent confirmation, generated by Google’s internal
systems with no input from me, that the May 2 activity was a ~127x
deviation from this project’s expected baseline.
Between 4:51 AM and 9:06 AM, charges escalated by approximately
$12,000 MXN per hour while no enforcement action was taken on Google’s
side. I have forwarded both alerts to the support team handling case
#70841985.
What I’m asking
This isn’t an abstract billing dispute for me. The charge was already processed against my payment method, and an amount of this size — landing unexpectedly on the finances of an independent operator in Mexico — has a real and significant impact on my personal economy. It directly affects my ability to cover essential monthly expenses I rely on for daily living. Recovering this charge through a goodwill review would make a genuine, material difference in my situation.
With that context:
-
Has anyone from the Google AI / Cloud team seen similar reports tied to the April Vercel incident? Is there a coordinated review process for potentially affected customers?
-
To the community: what additional evidence has worked well in goodwill reviews for cases like this?
-
I have an open billing support ticket (case #70841985 if assigned) and would deeply appreciate visibility and timely review given the real-world financial impact described above.
Happy to share additional logs, audit data, or screenshots as needed. Thanks for any guidance.
Update May 5, 2026: I have also formally requested reclassification
of case #70841985 from “general billing query” to “unauthorized
charges dispute” and submitted the anomaly detection evidence above
to support.