Cloud · Google Cloud · January 15, 2025
$450,000 — a compromised key ran up 19 billion translations on Google Cloud
Vendor
Google Cloud
Service
Cloud Translation API
Amount
$450,000 (reported)
Timeframe
~6 weeks before noticed
Cause
Compromised API key
Outcome
Disputed
Who's exposed: Anyone with a card on file behind an unrestricted API key, especially on a project you inherited or haven't touched in months.
Resolution: Google offered $50,000 in credits against the $450,000 charge. The owner is disputing the rest, arguing the resources were never legitimately used.
Self-reported by the owner, with billing screenshots in the thread. r/googlecloud (by u/hostingtalk)
What happened
A team bought a small translation app with a Google Cloud backend that had run at a steady $1,500/month for years. They put a card on file and left it. Months later, going through their accounting, they found $450,000 in Google Cloud charges across a roughly six-week window. Firebase usage looked normal, but the Translation API showed 19 billion characters translated, far beyond anything the app did. The key had been compromised and abused, and there were no warning emails in their inbox or spam. They rotated the key and filed a billing dispute.
Root cause
An exposed API key let an attacker call the Translation API at scale. It was really three failures stacked: an unrestricted key, usage-based billing with no hard cap, and anomaly controls that let a 200x jump over the $1,500/month baseline run for weeks. Google Cloud has no simple hard dollar cap to set, the kind that says 'never spend more than $3,000/month on this project', so nothing stopped the surge automatically.
How to avoid it
•
Scope every API key to the exact APIs, IPs, and origins it needs. Leaked keys are the top cause of giant cloud bills, and a scoped key blunts the attack at the source.
•
Set a hard budget cap where the platform allows one. A cap stops spend at a ceiling; a plain alert only notifies.
•
Alert on daily spend crossing a few times your baseline. Routed to someone who acts, that turns a six-week surprise into a same-day one.
CostGoat watches your Google Cloud bills, so a surprise like this reaches you as an alert, not an invoice.
More Bill Shock stories
February 25, 2026
$82,314.44 — a stolen Gemini key turned a small monthly bill into a bankruptcy threat in 48 hours
November 3, 2023
$121,000 — a buggy auto-translate function called a paid API six billion times in two days
August 28, 2022
$213,000 — a hacked account ran Lambda in six regions overnight and support first said it was on you
April 30, 2025
