HN · HACKER_NEWS// 3h agoSECURITY INCIDENT

Unrestricted Firebase Keys Trigger Gemini Billing Abuse

A Firebase project owner reported an overnight €54,000+ Gemini API billing spike after enabling Firebase AI Logic on an existing project, with traffic that appeared automated rather than user-driven. Google said it is moving to disable unrestricted API keys for Gemini, add spend caps and more secure default auth keys, and recommends server-side calls plus key restrictions.

// ANALYSIS

Hot take: this is less a one-off billing bug than a bad-default security model colliding with AI usage economics.

–A Google API key that used to be “safe to expose” can become a Gemini credential once the API is enabled on the project.
–The reported damage window was short, and alerting lag meant the spend cap/budget alarms arrived after major charges had already accumulated.
–Google’s response suggests the platform is already changing: unrestricted keys are being phased out, spend caps exist, and leaked-key blocking is being expanded.
–The practical takeaway for developers is blunt: treat any client-side Google key as sensitive if Gemini is enabled anywhere in that project.

// TAGS

geminifirebasegoogle-cloudapi-keysbillingsecurityllmai-studio

DISCOVERED

3h ago

2026-04-16

PUBLISHED

10h ago

2026-04-16

RELEVANCE

10/ 10

AUTHOR

zanbezi