AI Economy: A team of three developers in Mexico is facing a roughly 455× increase in monthly AI service expenses after an API key associated with their project was allegedly compromised. The key was later used to access Google Gemini services at scale. The small company has reportedly attempted to negotiate relief with Google, but says the company has not offered a payment adjustment.
One of the affected developers shared the incident on Reddit. According to the post, the Google Cloud API key was compromised between February 11 and February 12 and was primarily used to access Gemini 3 Pro Image and Gemini 3 Pro Text services.
The company's typical monthly AI service expense was approximately $180, but the unauthorized usage generated a bill of about $82,314.44. The developers say they were operating under tight financial conditions and were hoping their product would eventually become profitable. Even if only one-third of the billed amount is enforced, they fear the cost could still drive the business toward insolvency.
A Mountain View representative said customers using generative AI services are responsible for securing their own credentials under the platform's Shared Responsibility Model. Under this framework, users are expected to implement appropriate security safeguards, as service providers may not assume liability for misuse resulting from compromised authentication keys.
The developers said they did not believe they made any "obvious" operational mistake. After discovering the compromised key, they attempted to secure their system by deleting exposed keys, disabling Google Gemini API access, and enabling two-factor authentication across their accounts. They also opened a support request with Google, though they report receiving no meaningful resolution so far.
One of the developers argued on Reddit that cloud providers should implement stronger safeguards against extreme billing anomalies. The developer suggested that platforms should automatically halt or verify charges once usage reaches abnormal thresholds, noting the lack of mandatory confirmation mechanisms during sudden usage spikes.
"A jump from $180/month to $82k in 48 hours is not 'normal variability.' It is obvious abuse," the dev said.
The Mexican team has been seeking advice from the developer community online. Some contributors have warned against relying heavily on computation-intensive services such as Gemini-style generative AI APIs. There have also been conflicting claims regarding whether the developers uploaded the compromised key to public repositories such as GitHub, a point that relates to the Shared Responsibility Model emphasized by Google. The developers later disputed assertions that the key was knowingly exposed.
Before the introduction of modern authentication practices for generative AI services, some older API systems were considered easier to compromise. The developers believe this case may help highlight broader security and billing protection concerns in cloud computing environments. They have reportedly also filed a complaint with the Federal Bureau of Investigation.
A stolen Gemini API key turned a $180 bill into $82,000 in two days
