Yes, I’m looking at a bill of $6,909 for calls to GenerativeLanguage.GenerateContent over about a month, none of which I made. I had quickly created an API key during a live Google training session. I never shared it with anyone and it’s not pushed to any public (or private) repo or website. Whomever got a hold of it made over a billion requests, 99% of which returned 429 errors. 429s are not supposed to be billed, so the $6k+ is a result of the 1% of calls which succeeded.
I opened a support case and they said:
Generally, any usage on an account that was not caused by a direct error on Google’s side is technically considered “valid usage” even if the activity was unintended by you. A specialized team has raised a consultation with the Product Team. They are currently conducting a deeper investigation to clarify the specific usage details and ensure our findings are completely accurate. I have explicitly requested them to check if we can retrieve request headers or originating IP addresses that could help you identify how the key was being utilized…Our specialized team investigation concluded that no leaked API keys were detected in your project…*The key was not found in public repositories (a standard “leak” check), but they did not provide specific details on the methodology used to reach that conclusion. I understand that this lack of detail is frustrating and leaves your questions about the validity of the traffic unanswered.
*
I can no longer trust Google APIs. I made the mistake during a live training session to not properly restrict the API key, and didn’t catch the high usage in the cloud console until it added up to thousands. Even after I disabled the API another $2k+ registered. It was just for a quick test and never used it again personally.