NEW: Real-Time Usage Tracking for AI Agents — track Claude Code, Kimi, Codex & more. Try it free →

CostGoat Logo

CostGoat

Cloud · Google Cloud · January 15, 2025

$450,000 — a compromised key ran up 19 billion translations on Google Cloud

Vendor

Google Cloud

Service

Cloud Translation API

Amount

$450,000 (reported)

Timeframe

~6 weeks before noticed

Cause

Compromised API key

Outcome

Disputed

Who's exposed: Anyone with a card on file behind an unrestricted API key, especially on a project you inherited or haven't touched in months.

Resolution: Google offered $50,000 in credits against the $450,000 charge. The owner is disputing the rest, arguing the resources were never legitimately used.

Self-reported by the owner, with billing screenshots in the thread. r/googlecloud (by u/hostingtalk)

What happened

A team bought a small translation app with a Google Cloud backend that had run at a steady $1,500/month for years. They put a card on file and left it. Months later, going through their accounting, they found $450,000 in Google Cloud charges across a roughly six-week window. Firebase usage looked normal, but the Translation API showed 19 billion characters translated, far beyond anything the app did. The key had been compromised and abused, and there were no warning emails in their inbox or spam. They rotated the key and filed a billing dispute.

Root cause

An exposed API key let an attacker call the Translation API at scale. It was really three failures stacked: an unrestricted key, usage-based billing with no hard cap, and anomaly controls that let a 200x jump over the $1,500/month baseline run for weeks. Google Cloud has no simple hard dollar cap to set, the kind that says 'never spend more than $3,000/month on this project', so nothing stopped the surge automatically.

How to avoid it

Scope every API key to the exact APIs, IPs, and origins it needs. Leaked keys are the top cause of giant cloud bills, and a scoped key blunts the attack at the source.

Set a hard budget cap where the platform allows one. A cap stops spend at a ceiling; a plain alert only notifies.

Alert on daily spend crossing a few times your baseline. Routed to someone who acts, that turns a six-week surprise into a same-day one.

CostGoat watches your Google Cloud bills, so a surprise like this reaches you as an alert, not an invoice.

More Bill Shock stories

February 25, 2026

$82,314.44 — a stolen Gemini key turned a small monthly bill into a bankruptcy threat in 48 hours

November 3, 2023

$121,000 — a buggy auto-translate function called a paid API six billion times in two days

August 28, 2022

$213,000 — a hacked account ran Lambda in six regions overnight and support first said it was on you

April 30, 2025

$9,700 — a chatty microservice through one NAT gateway cost $9.7K in a month

← All Bill Shock stories

AI Pricing

Gemini API PricingClaude API PricingGoogle Veo PricingAI Cost CalculatorsReplicate API PricingOpenRouter API PricingOpenRouter Free Models
DownloadsPricingDashboardContactIssuesAffiliatesTermsPrivacy

© 2026 CostGoat. All rights reserved.

Made by Functioncraft: Redis GUI Client · SSH GUI Client

Affiliate disclosure: Some links earn CostGoat a commission or credit when you sign up — no extra cost to you.