Google Cloud API fraud victims refunded as spending cap controls remain in preview
Tags Enterprise · Infrastructure · OSS
Google Cloud has refunded developers whose API keys were hijacked and used to rack up thousands of dollars in charges — in one case, $17,000 in minutes. However, Google has not changed its policy of automatically upgrading spending limits without user permission. Google introduced a trial of hard spending caps in April 2026, but the feature is only available by application on a one-to two-week review basis, leaving most users exposed to unlimited charges from credential theft or traffic spikes.
Technical significance
This incident exposes a critical gap in cloud platform security defaults. The automatic tier upgrade policy — which can raise spending caps from $250 to $100,000 based on payment history — creates asymmetric risk where the most trusted customers face the largest potential exposure. For developers building on Google Cloud's AI APIs, this is a significant operational risk that requires manual mitigation until hard caps are generally available.