Stolen Gemini API key racks up $82,000 in 48 hours
salkahfi
84 points
50 comments
March 03, 2026
Related Discussions
Found 5 related stories in 51.3ms across 3,471 title embeddings via pgvector HNSW
- Google's insecure-by-default API keys and 30h billing lag cost my startup $15k tertervat · 57 pts · March 30, 2026 · 52% similar
- Show HN: AI agents run my one-person company on Gemini's free tier – $0/month ppcvote · 15 pts · March 08, 2026 · 50% similar
- Gemini Said They Could Only Be Together If He Killed Himself. Soon, He Was Dead psim1 · 49 pts · March 04, 2026 · 45% similar
- The Resolv hack: How one compromised key printed $23M timbowhite · 78 pts · March 23, 2026 · 44% similar
- My son pleasured himself on Gemini Live. Entire family's Google accounts banned samlinnfer · 164 pts · April 01, 2026 · 44% similar
Discussion Highlights (14 comments)
user34283
Is there a way to limit spending on Google Cloud? As far as I saw you can only set up billing alerts, no hard limit.
voidUpdate
This might have something to do with https://news.ycombinator.com/item?id=47156925
crimsonnoodle58
Is this part of the keys didn't use to be a secret, now they are issue with google? [1] If so they have a good case on their hands. [1] https://news.ycombinator.com/item?id=47156925
latexr
Contents of the blog are themselves written by LLM. https://github.com/coollabsio/llmhorrors.com/blob/main/CLAUD... The whole website seems to be focused on promoting the author and their projects more than sharing the information. Just link to the original. https://www.reddit.com/r/googlecloud/comments/1reqtvi/82000_... Posted to HN twice recently. https://news.ycombinator.com/item?id=47231708 https://news.ycombinator.com/item?id=47184182
laszlojamf
Slightly unrelated question: how would you spend $82k on prompts in 48 hours? Just phishing?
vincnetas
the tokens are not stolen. they are public. how can you steal public tokens? its googles blunder that they allowed public tokens to be used for paid functionality.
LeonidBugaev
Thankfully Google has some basic protection for it. I accidentally commited my google api token, as part of some OTEL trace JSON file, and within a few minutes my key was automatically locked by google, and marked as leaked (with exact link pointing where it has happened).
mjbonanno
Oof, $82k in 48 hours is brutal. Makes me even more glad I run everything local where possible.
Traubenfuchs
I understand that cloud resources and automatically stopping them beyond a certain spend is problematic and challenging in many ways, e.g. do you just destroy provisioned computer, storage, data? But for those stupid API keys the corporations have zero excuse not to have configurable limits with a sensible default.
k8sToGo
This is one of the main reasons I prefer to use openrouter instead. It's prepaid.
Addono
Yeah, right... > Conclusion: Always set billing caps and alerts on cloud API keys. Sadly, way easier said than done in the case of GCP. Been a proper reason for me to avoid GCP deployments with LLM use-cases for smaller projects. I remember looking into this a while back assuming it would be a sane feature to expect. But for some reason it's surprisingly non-trivial with GCP to set budgets. Especially if the only thing you want is a Gemini API key with finite spending. IIRC you could either set (rate) limits on quotas, but quotas are extremely granular (like, per region per model) meaning you need to both set tons of values and understand which quotas to relax. Or alternatively do some bubblegum-and-ducktape like solution where you build an event-driven pipeline to react to cost increases in your own project. I understand that exact budgets are hard to enforce in real-time, especially for their more complex infra offerings. However, (1) even if it's not exactly real-time, but instead enforced every hour that's already going to go a long way, and (2) PAYG LLM usage is billed rather linearly by the amount of tokens you use, so if there would be an easy way to set a dollar-amount and have that expressed as budgets that would already get you part of the way there. Anyway, the current state of GCP budgeting it makes me avoid it for production usage until I'm ready to commit spending significant effort to harden it. For all small projects, the free tier tokens are a safe bet, but their extremely low rate-limits make them rarely a good fit.
impure
Billing caps? Google? Ha ha ha ha... OK, I'm sad now.
apt-apt-apt-apt
Yeah, I couldn't figure out how to set billing caps on the gemini API. Here's what the chatbot said: Me: Help me cap gemini API request costs ... limit total billing for this project to max $100 a month GC: Hello! While it's not possible to set a hard spending cap on Gemini API requests, you can set up billing alerts to monitor your costs and avoid surprises. Me: How to set hard budget limit tied to billing account GC: Based on your account information, it is not possible to set a hard budget limit that automatically stops charges for a billing account. Me: How to set quota for gemini api? GC: Sorry, I'm not able to answer that question.
tim-tday
Let me guess. Leaked due to improper handling of the key.