Google Cloud Service Wakes Up to a $18,392 Bill Despite a $7 Budget – Due to a Beginner's Mistake
Australian AI consultant Jesse Davis recently experienced a bizarre incident: he set a monthly budget of only $7 (approximately 50 yuan) on his Google Cloud account, only to wake up to a bill of $18,392 (approximately 132,400 yuan). All the charges were generated within hours overnight.
Davis claims to be familiar with Google AI development platform security protocols, routinely configuring separate API keys for each project, splitting independent billing accounts, enabling two-factor authentication, and activating cloud audit logs.
However, Davis discovered that the attacker did not steal the key, but found a public link to a cloud-hosted service he published months ago. Even though this public link was never shared externally or indexed by search engines, it was still exploited by hackers to initiate over 60,000 requests.
Google's official agent program automatically reads API key environment variables stored in plain text within the container, completing authorization signatures for each access request.
Therefore, when the budget warning was pushed the next morning, $6,881 (approximately 47,000 yuan) had already been deducted from Davis's credit card; and during communication with Google customer service, an additional $10,321 (approximately 70,500 yuan) was deducted.
However, Google Cloud originally had nine security safeguards that could prevent such incidents, but all were disabled by default.
Worse still, Google automatically upgraded Davis's account level without any notification. The account was originally level 2 with a spending limit of $2,000 (approximately 14,400 yuan).
When abnormal spending exceeded the $1,000 (approximately 7,200 yuan) threshold, the system automatically upgraded the account, directly increasing the spending limit to between $20,000 and $100,000 (approximately 144,000 to 720,000 yuan).
Fortunately, Google ultimately waived all fees, and the bank refunded the deducted amount. Davis has scheduled a meeting with Google management to specifically discuss security vulnerabilities.
Similar incidents are not uncommon, with multiple users in the Google Cloud community forum reporting similar experiences:
A Japanese user was inexplicably billed $44,000 (approximately 316,800 yuan) while normally using the cloud service, and the fees continued to rise to $128,000 (approximately 921,600 yuan) even after manually shutting down the API interface.
In March, another user's API key was abused, resulting in a bill of $82,314.44 (approximately 592,700 yuan) within two days, while the account's normal monthly consumption was only $180 (approximately 1,296 yuan).
Cybersecurity firm Truffle Security Co. once warned that Google Cloud uses a unified API key design, originally intended only as a project identification code.
Once a project opens a large model interface service, the old, general key is automatically upgraded to a paid authorization credential. If the key is leaked, attackers can freely call paid interfaces to generate cloud service bills.
If Google does not modify the API permission rules and address security shortcomings, these exorbitant billing incidents will continue to occur.