%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
For developers, an API key is like a bank card password. Once leaked, the consequences can be disastrous. Recently, a three-person development team from Mexico posted on the social platform Reddit, seeking help, stating that due to an operational mistake, they accidentally exposed the Google Gemini API key to the public. Within 48 hours, they received a huge bill of $82,000 (about 590,000 RMB).
The developer stated that their team's monthly Gemini usage cost was only about $180. However, because the key was被抓取 by malicious crawlers and used illegally, the bill surged exponentially within two days. Facing this "astronomical" amount they couldn't afford, the team contacted Google support engineers to request a reduction, but the response was very cold: According to Google Cloud's "shared responsibility model," protecting the key's security is the user's responsibility, not the platform's mistake, so they had to pay the full amount.
This incident has once again sparked collective complaints from developers about Google Cloud's billing mechanism. Unlike platforms like OpenAI, which generally adopt a "prepaid + consumption cap" model, Google Cloud does not default to a hard budget cut-off mechanism. Although the platform has a budget alert function, if developers don't set it in advance or don't check their emails in time, the system will not automatically block services even if the request volume suddenly increases dramatically.
In contrast, competitors like OpenAI will immediately shut off API access once the balance runs out. Google provides "request rate limiting" rather than "consumption cap limiting," which objectively leaves a loophole for the generation of "astronomical bills." At present, the developer is still negotiating with Google. Industry experts remind developers to check whether the platform supports mandatory consumption limits when calling various AI models. If there are no relevant security mechanisms, they should be extremely cautious in keeping the keys.
Key Points
💸 590,000 RMB bill in 48 hours: Due to the leakage of the key, the API was abused, causing a financial loss that a small team of three could not bear.
🚫 Google refuses to pay: Based on the "shared responsibility model," Google believes that developers should bear all the costs caused by their own security mistakes.
⚠️ Questioned mechanism defects: Developers are calling on Google to improve quota management and add features similar to OpenAI's "automatic cut-off once balance is exhausted" to prevent such tragedies from happening again.