Hi Google AI/Gemini API team,
I’m posting here in parallel with Google Cloud billing/support channels because this appears to match a number of recent Gemini API billing-spike cases reported, where unexpected automated usage created very large charges in a short period of time.
We are a small company using the Gemini API as part of our product infrastructure. On Saturday, we suffered what appears to have been an unauthorised API/account hijacking event.
What happened
On Saturday, our Gemini API usage suddenly spiked in a way that was completely unrelated to our actual users or normal application traffic.
Before the incident, our Google account had approximately €650–€800 of prepaid credits available.
Within under one hour, the account moved from having prepaid credit to showing approximately €4,200 owed to Google. In practical terms, this appears to represent roughly €5,000 of unexpected Gemini API usage in less than an hour.
This usage was not generated by us, was not caused by any known customer activity, and is completely inconsistent with our historic usage patterns. The attached usage graph shows the flat baseline and the sudden spike on the relevant date.
Google’s own systems appear to have identified the incident
Our account/project was suspended due to suspected hijacking or compromise. That suspension strongly suggests Google’s own systems recognised the traffic as abnormal or potentially unauthorised.
The account has since been reopened, but the situation remains unresolved:
-
We still have a credit balance/amount due showing on the account.
-
The APIs are not accessible.
-
Our service remains disrupted.
-
We are unable to use the Gemini API despite the account being reopened.
Why we are requesting review
This was not normal usage. It was a sudden, extreme spike in API spend, occurring within a very short window, and it resulted in Google suspending the account for suspected hijacking.
The pattern appears similar to other recent Gemini API billing spike cases discussed on this forum, including cases involving sudden automated Gemini usage, client-side/API key abuse, delayed billing visibility, and projects being suspended only after substantial charges had already accrued.
I appreciate that API usage may technically have originated from our Google Cloud project, but where Google’s own systems suspended the account for suspected hijacking, it is difficult to treat this as ordinary valid customer usage.
Evidence available
We can provide:
-
Cloud Billing screenshots showing the prepaid credit position before the incident and the post-incident balance.
-
API usage graphs showing the flat baseline and sudden spike.
-
Timeline of the incident and suspension.
-
Details of when the account was suspended and reopened.
-
Evidence that the usage was not correlated with our users or product activity.
-
Any credential/API key history or access logs Google requires for review.
What we are asking
Could someone from the Google AI / Gemini API team please help with the following:
-
Confirm the correct escalation route for a billing/security review where Google suspended the account due to suspected hijacking.
-
Confirm what additional evidence is needed to support a review of the unauthorised usage.
-
Help coordinate between the Gemini API team, Google Cloud billing, and the security team.
-
Clarify why the APIs remain inaccessible even though the account has been reopened.
-
Review whether the unexpected balance can be waived or adjusted given the apparent unauthoris
ed nature of the activity.
This is a significant and unexpected charge for a small company, and the continued API disruption is affecting our service. Any guidance from Google staff or others who have gone through a similar Gemini API billing spike would be greatly appreciated.
Thanks in advance.