Hacker News
€54K Firebase/Gemini Billing Spike in 13 Hours — Unrestricted Browser Keys as Attack Vector
A developer reported a €54,000+ Gemini API charge within hours after enabling Firebase AI Logic, because unrestricted Firebase browser keys silently gained Gemini access without warning. Part of a broader pattern: Truffle Security found 2,863 publicly exposed Google Cloud API keys that authenticate to Gemini endpoints. Previous victims include an $82K bill in 48 hours and a $15K bill from a solo developer. Google's billing lag means charges accumulate before alerts fire. 395pts on HN.
↳ Follow the thread