Developer disputes $11,000 Google Cloud bill after hijack warning and account suspension
A software developer says Google Cloud flagged his account as compromised, suspended it for suspected abuse, and then left him with more than $11,000 in charges tied largely to Gemini image-generation...
A software developer says Google Cloud flagged his account as compromised, suspended it for suspected abuse, and then left him with more than $11,000 in charges tied largely to Gemini image-generation activity.
Charles Jones, who runs several small web properties, said the billing spike occurred over a 48-hour period between June 7 and June 8. According to the records he shared, the charges totaled $11,089.77. Jones said he does not use any workflow that creates AI-generated images, and he believes the activity was caused by a compromised Firebase service account key.
Google’s suspension notice reportedly told him the account was involved in abusive activity associated with hijacked resources. Jones said he followed the company’s guidance by disabling the affected service account, revoking the key, and reporting the issue as a compromise. While the account was later restored, he said Google’s billing team has continued to refuse to waive the charges.
The dispute highlights a recurring problem for cloud users: unauthorized API or key use can quickly turn into large bills, and customers may still be held responsible even when a compromise is acknowledged. Similar cases have surfaced before, including reports of thousands of dollars in fraudulent charges after API key theft.
Questions over cloud cost controls
Jones also criticized Google’s lack of a widely available spending cap for cloud services. He pointed out that existing tools such as usage limits and budget alerts do not necessarily stop billing once thresholds are reached. In some cases, disabling billing can also risk deleting resources.
- Google has offered spend caps for some services only in preview or experimental form.
- Budget alerts can notify customers, but do not automatically halt usage.
- Temporary caps for the Gemini API include a delay window during which charges may still accrue.
Jones said he has not been shown how the service account key was exposed, despite Google’s warning that it had been compromised. He argued that the company is relying on its shared-responsibility model without demonstrating where the failure occurred.
The Register said it asked Google for comment on the refund denial and the evidence behind it, but had not received a response at the time of publication.
