Google Reimburses API Fraud Victims but Maintains Risky Auto-Expansion Policy

Google Cloud has reversed thousands of dollars in unauthorized API charges for two developers who were victims of account takeovers, yet the company continues to automatically upgrade customer spending tiers without explicit permission, creating ongoing financial risks for users.

Australia-based developer Isuru Fonseka, whose usage bill skyrocketed to $17,000 in minutes after Google automatically upgraded his $250 spending tier when a hacker took control of his account, confirmed his refund was processed following media attention. "It's so good. It felt like they were just giving me the run around until your article. I just hope they fix it properly for everyone," he said.

Similarly, Rod Danan, CEO of Prentus, saw his bill jump to $10,000 in just 30 minutes of unauthorized usage before Google agreed to refund the charges. "The stress of running a startup is hard enough without the addition of fighting one of the largest companies in the world imposing erroneous five-figure charges," Danan noted.

Despite these refunds, Google maintains its policy of automatically expanding customer spending limits based on historical payment behavior, which security experts say leaves legitimate users vulnerable to both fraud and unexpected billing spikes. The company prioritizes service continuity over respecting users' budget preferences.

"With our automated growth tiers, we helped businesses scale as usage increased, built on their historic reputation of payments and usage," a Google spokesperson explained. "This prevents their business having a hard service outage once they pass an artificial system quota."

The policy creates particular risks for customers with good payment histories. For example, a Tier 1 user with a $250 spending cap can automatically be allowed to spend up to $100,000 if their account is older than 30 days and they have spent at least $1,000 with Google over their lifetime. Many users only discover this policy after receiving unexpectedly large bills.

In response to growing concerns, Google introduced a trial of hard spending caps in April 2026, but these are currently in preview mode with case-by-case approval. "We're excited to announce that Spend Caps are coming soon to Google Cloud," the company announced, noting that these caps "alert and ultimately pause API traffic once your set budget is reached, but leave your resources intact."

However, the implementation has significant limitations:

• Spend caps can only be set per project for a single, eligible service
• Eligible services include Gemini API, Agent Platform, Cloud Run, Cloud Run Functions, and Maps
• Applications for spending caps are reviewed on a "one to two week basis"
• Customers are added in the order they submitted their applications

Fonseka, who has since disabled Gemini on all his projects, expressed frustration that media attention was required to secure his refund. "It's great that the article was able to get the refund but it's sad that it had to go to that level for them to process it urgently," he said.

For developers seeking to protect themselves, security experts recommend:

1. Regularly rotating API keys and implementing proper access controls
2. Monitoring API usage patterns for anomalies
3. Considering alternative services that don't automatically expand spending limits
4. Applying for Google's spending cap preview when available
5. Implementing rate limiting on public APIs

Google stated that it "takes reports of credential abuse and the financial security of our customers extremely seriously" and will "work directly with any impacted users to resolve charges resulting from fraudulent activity." However, the company has not indicated plans to change its automatic tier upgrade policy.

As AI API usage continues to grow, this incident highlights the tension between service providers' desire for uninterrupted service and customers' need for predictable billing and protection against unexpected charges.