The editorial argues that Firebase Web API keys ship with a 'no restrictions' default posture that is a decade out of step with modern threat models. It frames the victim as one in a pattern of recurring incidents dating back to January 2026, all with the same root cause: default-permissive keys embedded in client-side bundles that attackers scrape and resell on underground LLM proxy markets.
The editorial highlights that Google Cloud's budget alerts are email notifications, not enforcement — they arrive after the money has already been spent. A true spend cap requires developers to hand-build a Pub/Sub → Cloud Function pipeline to disable billing, which is documented but not default, leaving most projects structurally unable to stop runaway charges.
The editorial reads the attack's shape — 3,500 sustained requests per minute of Gemini Pro-class calls over 13 hours — as evidence of a reseller, not a hobbyist tester. It situates the incident in the broader underground market for 'OpenAI-compatible proxy access,' where Gemini's 1M-token context window and generous pricing have made Google keys the premium SKU being actively hunted.
The original poster documents a €54,000 charge accrued in 13 hours from an unrestricted Firebase browser key and reports following the standard Google billing-dispute path. Their forum post implicitly argues that the only remedy available is opening a case and hoping for a goodwill credit, with no automated protection or guaranteed reversal for clear abuse scenarios.
On April 13, a developer posted to Google's AI developer forum with a billing statement that read like a typo: €54,000 accrued in 13 hours against a Firebase project, all of it against the `generativelanguage.googleapis.com` endpoint — Gemini. The key in question was a standard Firebase Web API key embedded in a client-side application. It had no HTTP referrer restrictions, no API-level restrictions, and no hard quota ceiling. An attacker scraped it (the thread suggests from the frontend bundle, though a leaked `.env` is also plausible), pointed a script at Gemini, and ran inference until the card on file screamed.
The shape of the bill is the interesting part. Roughly 3,500 requests per minute, sustained for most of half a day, all of them Gemini Pro-class calls — the attacker wasn't testing whether the key worked, they were reselling it. Underground marketplaces for "OpenAI-compatible proxy access" have existed since GPT-3.5; Gemini's 1M-token context window and generous free-tier-adjacent pricing have made Google keys the new premium SKU. The victim here is not the first. Similar threads surfaced on the same forum in January and February 2026, each with four- to five-figure damages and the same root cause: a Firebase key that shipped to production with the default "no restrictions" posture.
Google's response so far has been the standard billing-dispute pattern — open a case, wait, hope for a goodwill credit. The forum post explicitly notes that Google Cloud's "budget alerts" are not enforcement; they are email notifications that arrive after the money is already spent. There is no native kill switch that pauses a project when a budget is breached. You can build one with a Pub/Sub → Cloud Function that disables billing on the project, but it's a documented recipe, not a default.
The security model most web developers have internalized is a decade old: Firebase keys are "public," they authenticate the *project*, not the *user*, and security is enforced by Firestore rules and App Check. That mental model was correct when the only thing behind the key was a database you'd already locked down. It is dangerously wrong now that the same key fronts a metered inference API where each call costs real money and there is no row-level security to fall back on.
The economics have inverted. In 2018, an exposed AWS key got you Monero miners and a $3,000 bill. In 2026, an exposed Google AI key gets you a Gemini proxy-as-a-service operation and a €54,000 bill — because LLM tokens retail for more than stolen GPU-hours, and the laundering chain is one HTTPS hop instead of a blockchain. This changes the calculus for every shop that ships an AI feature. The blast radius of a leaked key used to be bounded by rate limits and compute costs that resolved in hours. Gemini, Claude, and GPT keys have effectively unbounded per-minute cost ceilings unless you configure them yourself.
The community reaction on Hacker News was split in a predictable way. One camp — mostly people who've been burned — argued that Google should cap new projects at some sane default and require explicit opt-in to remove the cap, the way Stripe ramps processing limits. The other camp pointed out that Firebase's docs do say to restrict keys, that App Check exists specifically for this, and that a developer shipping an unrestricted browser key to production is not a platform failure. Both are right. The defaults are dangerous, *and* the developer owns the outcome — those statements don't contradict.
What's missing from the debate is a harder question: why is a browser key calling a paid inference API at all? The entire architecture — client → Gemini — is the anti-pattern. Any serious deployment routes LLM calls through a server that injects its own key, applies per-user rate limits, caches, and logs. The people being hit by these bills are shipping MVP-shaped stacks into production: Firebase Auth, Firestore, and a direct Gemini call from the browser because the tutorial said it would work. It does work. It also lets a stranger run your credit card for €4,000 per hour.
The remediation list is short, unglamorous, and almost entirely about defaults you should have set on day one. If you're shipping any Google Cloud key — Firebase, GCP, Vertex — to a browser or mobile client today, you need HTTP referrer restrictions (web), Android/iOS app restrictions (mobile), and explicit API restrictions that list *only* the services the key is allowed to hit. A Firebase key that can call Firestore does not need to be able to call `generativelanguage.googleapis.com`. Tick the boxes.
Second: put LLM calls behind your own backend. This is the same advice people have been giving since the first OpenAI key leak in 2023, and it remains unheeded because it's more work than `fetch()` from the client. The backend doesn't need to be complex — a single Cloud Function or Lambda that proxies the call, authenticates the user, and enforces a per-user daily token budget will save you from the 99th-percentile attack. App Check adds a second layer for the legitimate-client case but does not replace a server-side gate.
Third: build the kill switch you wish Google provided. The pattern is well-documented — a budget alert publishes to Pub/Sub, a Cloud Function receives the message and calls `projects.updateBillingInfo` to disable billing, which halts paid services within minutes. It takes an hour to set up. Set it at 10% of whatever number would ruin your month, not 100% of whatever number would ruin your year. Budget *alerts* are paperwork; a billing-disable function is a circuit breaker.
Google, AWS, and Azure will eventually add native spending caps for AI APIs — the incident volume is becoming a support-cost problem for them, not just a PR problem for customers. Until then, treat every LLM endpoint in your stack as if it's wired directly to your bank account, because it is. The €54k developer will probably get a credit; the next one might not. Restrict your keys today, proxy your calls this week, and assume the attacker already has your bundle.
> We had a budget alert (€80) and a cost anomaly alert, both of which triggered with a delay of a few hours. By the time we reacted, costs were already around €28,000.I had a similar experience with GCP where I set a budget of $100 and was only emailed 5 hours after exceeding the budget by which
Considering the amount of repositories on public GitHub with hard-coded Gemini API tokens inside the shared source code (https://github.com/search?q=gemini+%22AIza%22&type=code), this hardly comes as a surprise. Google also has historically treated API keys as non-secrets, except
As others have said, this is a "feature" for Google, not a bug. There is no easy way to set a hard cap on billing on a project. I spent the better time of an hour trying to find it in the billing settings in GCP, only to land on reddit and figuring out that you could set a budget alert to
I read the following [0] and immediately went to my firebase project to downgrade my plan. This is horrific.> Yes, I’m looking at a bill of $6,909 for calls to GenerativeLanguage.GenerateContent over about a month, none of which I made. I had quickly created an API key during a live Google traini
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
> We had a budget alert (€80) and a cost anomaly alert, both of which triggered with a delay of a few hours> By the time we reacted, costs were already around €28,000> The final amount settled at €54,000+ due to delayed cost reportingSo much for the folks defending these three companies tha