URGENT: Billing suspended while dispute open — OAuth2 hijack via Firebase CLI (Project 563584335869) — production down, weekend escalation needed

Alex_Bodson · May 17, 2026, 5:05pm

Posting here alongside Case #70651534 because my billing account has been suspended and I can no longer access the support portal. My production Firebase services have been down since Friday May 16 evening. Paying customers are affected starting Monday morning.

I’m hoping a Google staff member monitoring this forum over the weekend can escalate this for manual review.

Situation summary

Incident date: April 23, 2026
Disputed amount: €10,582.40
Billing account: 008EA6-2F87BC-0EA8D4 (Continuans)
Support case: #70651534 (open since April 27, last agent response April 28)
Current status: Billing account suspended May 15. Production Firebase services down. Support portal inaccessible due to suspension. Bank account added as payment method but requires 3-day verification — payment cannot clear until Thursday at earliest.
Good faith payment: €500 manual payment made May 15 covering legitimate April usage (~€350/month normal spend)

This is a solo developer running 5 production Firebase projects for paying SME customers in Belgium. Every hour of downtime causes direct business damage.

What makes this case different: Project 563584335869

After spending several nights on forensics, I found something I haven’t seen documented in the other threads here.

When I filtered Cloud Monitoring metrics by credential_id, the top entry was:

oauth2:563584335869-fgrhgmd47bqnekij5i8b5pr03ho849e6.apps.googleusercontent.com — 1.077 /s

Project 563584335869 is Google’s own internal project ID for the Firebase CLI (firebase-tools).

This was not a simple API key scrape. The attacker hijacked an administrative OAuth2 refresh token and authenticated via Google’s own Firebase CLI tooling — bypassing all standard API key restrictions entirely, since OAuth2 token authentication operates outside that control plane.

Attack vector: Vite build-time token leak

A FIREBASE_TOKEN — generated by firebase login:ci for CI/CD — was inadvertently bundled into static production assets in the dist/ folder by the Vite build pipeline. It was scraped by an automated botnet and used to authenticate as Project Owner via the Firebase CLI.

If you use Vite + Firebase, check your built dist/ folder for any string starting with 1// — that’s the format of a Firebase refresh token.

Key forensic evidence

Three credentials abused simultaneously on April 23:

Credential	Rate	Identity
`oauth2:563584335869-...`	1.077/s	Firebase CLI — Google internal project
`serviceaccount:116850177128831001368`	0.403/s	Default compute SA, `ledtechno-development`
`apikey:a5ceb77f-...`	0.113/s	API key, `ledtechno-development`

All service accounts showed “No keys” — no downloadable JSON key files existed. The compute SA abuse was pure privilege escalation from the hijacked OAuth2 token, not an independent credential leak.

93,000+ OAuth2 requests in 24 hours — approximately 10,000x normal baseline for a solo developer on a local-only project.

86,077,522 units of Gemini 3.1 Flash Image Output billed on April 23 — a model never used in this project.

Remedial actions completed

Firebase CLI OAuth2 token revoked via Google Account Security
All API keys and service account keys deleted
Spend cap implemented, billing disabled on compromised project
Bank account added to billing account for payment (pending 3-day verification)

Request

I am asking for urgent weekend escalation of Case #70651534 for the following reasons:

Production Firebase services for 5 SME customers are down right now
The billing account was suspended while the fraud dispute was actively open and unresolved
The automated billing system and the dispute process operated independently, with no human review
I cannot access the support portal to update my own case due to the suspension lockout
The attack originated from Google’s own Firebase CLI internal project — not from negligent key management

A manual suspension override pending dispute resolution would prevent business damage to customers who had no involvement in this incident.

For other victims reading this

If you see 563584335869 in your Cloud Monitoring credential_id metrics, your Firebase CLI OAuth2 token was hijacked — not just an API key. Standard key restriction advice does not apply. Revoke Firebase CLI access immediately via:

myaccount.google.com/permissions → Firebase CLI → Remove access

To search for affected service accounts across all projects (PowerShell):

powershell

$orgId = (gcloud organizations list --format="value(name)").Replace("organizations/","")

gcloud asset search-all-resources `
    --asset-types="iam.googleapis.com/ServiceAccount" `
    --query="YOUR_NUMERIC_ID_HERE" `
    --scope="organizations/$orgId" `
    --billing-project="YOUR_PROJECT_ID"

Happy to answer questions. And desperately hoping for a Google staff response before Monday morning.

Topic		Replies	Views
Production project hijacked April 23, 200,000+ SEK fraud, 5 open support cases, multiple written commitments broken — needs Trust & Safety attention Gemini API gemini-api , api-key , billing	4	87	May 17, 2026
Unexpected $67k+ Gemini API spike in 19 hours — 2016 Firebase-provisioned Android key not covered by Google's May 2024 auto-restriction policy Gemini API gemini-api , billing , firebase	10	594	May 11, 2026
~$6,000 in unauthorized Gemini API charges from a Vite-built client bundle — requesting billing review Gemini API gemini-api , api-key , billing	4	180	May 15, 2026
[CRITICAL-BUG] Massive Overbilling by Gemini API ($9,337.48) — Google-Flagged Compromised Project, Claim Denied Despite ACCOUNT_HIJACKED Confirmation Gemini API bug , api , billing	3	137	May 11, 2026
Unauthorized Gemini API charges on May 2, 2026 (MXN $40K+) — possible link to April Vercel incident — requesting community guidance and Google review Gemini API api , help-request , gemini-api , gemini , billing	2	154	May 16, 2026