Did the "free quota" suddenly turn into a debt of 400,000? A student accidentally leaked the Gemini API key and was saddled with a huge bill: The developer community was in an uproar, and Google finally waived the fee.
Recently, a student from Georgia shared his harrowing experience on a developer community: due to an innocent mistake, he accidentally leaked his Google Cloud Gemini API Key on GitHub. As a result, it was maliciously misused within just a few months, and he ended up with a bill as high as $55,444 (approximately 400,000 RMB).
The student said in despair, "A tiny mistake can turn life into a nightmare."
After the incident was exposed, it caught the attention and sparked heated discussions among many programmers. Some questioned why Google doesn't provide a "hard spending cap." Some shared that their teams had also encountered similar pitfalls. Others expressed sympathy for the student and called on Google to strengthen user protection mechanisms.
A Nightmare of "Free Credits"
The cause of this incident was quite simple.
The student registered for Google Cloud with his school email, planning to conduct some learning experiments using the $300 free credits provided by Google. In fact, he only spent $80, leaving over $220 in credits.
However, on June 6th, he accidentally submitted his Gemini API Key to GitHub. At that time, he thought the repository was private, but in fact, the key was exposed during a commit, and he didn't notice. To make matters worse, since it was the summer vacation, he hardly checked his school email, so he was completely unaware of the problem.
It wasn't until September 7th that a GitHub user messaged him, warning that his API Key had been exposed for a long time and was being misused by others. By then, it was already too late: when he logged into his account to check, the bill had soared to $55,444.
According to the student's description, the bill accumulated in three waves:
● June: $732 (the payment failed because the credit card had expired)
● August: Over $31,000
● September 1st - 7th: Another over $21,000
Even more incredibly, within just two days, the attackers made 14,200 requests to the API. Although all the requests failed, he was still billed.
The Result of Negotiating with Google: Sympathy, but No Cancellation
After discovering the problem, the student immediately revoked the API Key, contacted the Google Cloud Billing Support team, and even reported the incident to the police. He submitted comprehensive evidence, including usage logs, GitHub links, screenshots, and API Key revocation records.
However, Google's final response was:
"The bill remains valid and will not be canceled or modified."
In terms of attitude, Google always remained polite and sympathetic, but also made it clear that the decision was final. Subsequently, the student received a warning: if he didn't pay within 10 days, the debt would be transferred to a collection agency, and additional fees might be incurred.
For a student from Georgia, where the average daily income is about $15, he admitted that this bill was equivalent to decades of his income: "This is an amount I can't afford. I never even imagined that a string of API Keys would burden me with such a heavy debt. I'm not trying to shirk responsibility, but I don't want my life to be ruined because of something I didn't do."
Developers' Discussion: Why No "Hard Cap"?
As soon as this post was published, it caused a stir in the developer community. Many developers' first reaction was: why can Google only set up alerts but not truly limit spending?
Some developers complained, "Why can I set up alerts but not a hard cap? I've asked Google Support, but their answers are all the same, like templates automatically generated by AI."
In response, another user explained the reason from the billing mechanism: GCP's billing is based on the "consume first, settle later" model, involving calculations under various conditions (such as whether it's the free tier, cross - regional traffic, etc.). These data need to go through SKU usage → complex factor calculation → pushed to the billing view, which often has a delay of more than one day. Therefore, it's almost impossible to implement real - time hard limits.
However, some people also proposed solutions:
"You can limit the number of API calls through 'Quotas,' but this doesn't apply to all scenarios. My habit is to limit the IP range (IPv4/IPv6) of the service account and use tools like gitleaks to scan before committing code to avoid key leakage."
Meanwhile, many developers in the discussion expressed sympathy for the student:
"We're all professionals. Who hasn't made a mistake? Life is a continuous learning process. My advice is to first make sure the key is destroyed, enable 2FA, and check if the account has been misused for running VMs or mining. Then, keep contacting Google Billing Support, communicate persistently, and clearly state that this is an abnormal bill caused by a mistake and that you can't afford it. Be honest about your financial situation, keep all communication records, and escalate the appeal if necessary."
"One of my colleagues also leaked a key once. Fortunately, we noticed it within a few hours. It was a company account, and we learned our lesson at a cost of $20,000. The subsequent process of cleaning up the environment was quite interesting, but for individual developers, this could be a devastating blow."
Final Result: Google Fully Waives the Debt
As the post spread, more and more developers paid attention to this incident. Finally, on September 25th, the student posted the latest update:
After a second review by the Google Cloud Billing team, the $55,000 debt was fully waived!
He updated the original post, saying, "I want to express my deepest gratitude to everyone who showed support and provided advice. Your encouragement is very important to me. I also want to thank the Google Billing team for their service."
Nevertheless, this incident still serves as a wake - up call for all cloud service users (especially students and individual developers).
Just as the student said, "A tiny mistake can turn life into a nightmare." For all developers who are learning or using cloud services, this is by no means an exaggeration.
Reference link: https://www.reddit.com/r/googlecloud/comments/1noctxi/student_hit_with_a_5544478_google_cloud_bill/
This article is from the WeChat official account "CSDN." Compiled by Zheng Liyuan. Republished by 36Kr with permission.