Small self-funded startup hit with ~$3,200 in unauthorized Gemini API charges from a project key — project suspended, can't access the console. Has anyone resolved this?
I run a small, self-funded startup out of Bogotá, Colombia — we build a mobile app. A few days ago our Google Cloud project was suspended for "abusive activity consistent with hijacked resources." When I checked billing, I found ~USD $3,187 in unauthorized Gemini API charges racked up in just a few days. Our normal monthly spend is about $18.
As far as I can tell, a third party used an API key from our project to hammer the Gemini API. This lines up with the vulnerability Truffle Security publicly disclosed on Feb 25, 2026: Google API keys (AIza…) are project-scoped, not service-scoped, so once the Gemini API is enabled on a project, existing keys silently gain the ability to call Gemini — even keys created for unrelated services. Google classified it internally as a Tier 1 privilege-escalation bug in Jan 2026, and the root-cause fix was reportedly still in progress as of February. [I'm still confirming whether my specific key falls in this category — checking its creation date and original purpose.]
A few details I think matter:
- I had a $10 budget configured. The "budget exceeded" alert didn't reach me until ~5 hours after the spike started (overnight attack, morning alert) — by then the damage was done. Budget alerts notify; they don't cap spending.
- Google's own auto-billing tried escalating threshold charges ($500, $1,000, $2,000). My card declined most of them — which tells you how far outside normal this was.
- I've already revoked every key I can reach from Google AI Studio. I cannot access the keys inside the GCP project itself because the console redirects me to the suspension page.
Where I'm at: I filed an appeal, got an "Appeal Received" auto-reply, and I've requested the unauthorized charges be reversed. Now waiting.
My questions for the community:
- Has anyone actually gotten a suspension like this reversed, and how long did it take?
- How do I get Google to preserve the project's audit logs before the suspended project is auto-deleted? Those logs (which IPs made the calls) are my proof, and I don't want them gone.
- Any escalation path beyond the standard appeal queue that actually works?
We're a tiny team and a charge like this is existential for us. Any advice or visibility is hugely appreciated.