Google's AI APIs Have a 23-Minute Security Gap
A $10,000 Gemini API bill in 30 minutes exposed how Google's own infrastructure lags its security advice. Here's what every developer needs to act on now.
AI API security is now everyone's problem, including the companies building the APIs. A TechCrunch report from 24 May 2026 documents an uncomfortable gap: the time between an initial breach and its next attack stage has collapsed from 8 hours to 22 seconds, yet Google's own API key revocation takes up to 23 minutes. Between those two numbers sits an exposure window that can empty your billing account before you get the alert email.
π What Actually Happened With Those $10,000 Bills
Two developers were hit with charges they never authorized. Rod Danan, CEO of Prentus, received a $10,138 bill in 30 minutes from unauthorized Gemini API calls. A Sydney-based developer named Isuru Fonseka faced roughly AUD $17,000 in charges, despite having set a $250 spending cap.
The root cause in both cases was not a stolen password or a phishing attack. API keys they had originally created for Google Maps had quietly gained access to the Gemini API after Google expanded the scope of what those keys could call. Neither developer opted in explicitly. On top of that, Google's automatic tier-upgrade system raised spending ceilings to $100,000 without requiring explicit consent.
Key takeaway: A spending cap you set months ago may not protect you if the platform has silently expanded what your credentials can access. Cap + credential scope are two separate things.
Google has declined to change the auto-upgrade policy, citing service continuity. The recommendation from Google's COO, Francis de Souza, was sound advice about platform-wide governance. The gap is between that advice and Google's own infrastructure choices.
β‘ 22 Seconds vs. 23 Minutes: The Numbers That Define the Risk
These two timings, placed side by side, explain why the current AI security transition is not a theoretical concern:
| Metric | Time |
|---|---|
| Average time from initial breach to next attack stage | 22 seconds |
| Time to revoke a compromised Google API key | Up to 23 minutes |
| Time to revoke a Google service account credential | ~5 seconds |
That is a roughly 275Γ difference in revocation speed between API keys and service accounts on the same platform. If a key leaks, an attacker can pivot through your account, call the most expensive inference endpoints available, and generate billing in the seconds it takes Google to process the revocation.
The discrepancy is architectural. API keys were designed for simpler, narrower use cases. As Google layered them with access to newer, more expensive services, the revocation infrastructure did not keep pace with the expanded blast radius.
LinkedIn CISO Lea Kissner stated the industry won't understand AI security sustainably "for at least several years," anticipating a "bug-pocalypse" as AI agents proliferate across enterprise systems.
π οΈ The New Attack Surface Is Bigger Than You Think
Traditional security assumed a predictable perimeter: servers, databases, user accounts, network edges. AI deployments expand that surface across four new categories:
- Models β inference endpoints and model weights
- Data pipelines β training data sources, retrieval-augmented stores, fine-tuning datasets
- Agents β autonomous processes that can browse internal systems, call APIs, and execute code
- Prompts β crafted inputs designed to manipulate model outputs (prompt injection)
The agent risk deserves specific attention. An AI agent given broad system access can surface data repositories that have not been actively accessed in years. Those repositories tend to carry stale, overpermissioned access controls because no one thought they were reachable. AI agents make them reachable again.
Shadow AI compounds this further: employees using consumer AI tools without going through any internal review process. Data uploaded to those tools is outside the organization's visibility entirely.
π‘ Credential Hygiene Checklist Before You Ship
Based on the vulnerabilities the article describes, these are the controls worth having in place on any AI API project:
Before shipping:
- Use service accounts or short-lived tokens instead of static API keys wherever the platform supports it.
- Set the narrowest scope the key actually needs. A Maps key should not have Gemini access.
- Audit which services each existing key can call. Do not assume the scope matches what you set at creation time.
- Set spending alerts at 25%, 50%, and 80% of your monthly budget ceiling, not just a single hard limit.
- Review billing history and IAM bindings before deploying any key to a production environment.
After a key leaks:
- Revoke from the platform console immediately.
- Rotate every key in that project, not just the one that was exposed.
- Check billing history from the moment the key was first issued, not just the day of the incident.
- Look for new IAM bindings or newly-enabled service APIs you did not authorize.
If you are using JWT-based API authentication rather than static keys, you can inspect token claims, scopes, and expiry times directly in [your browser](https://induwara.lk/tools/image-upscaler) using the JWT Decoder at induwara.lk/tools/jwt-decoder to verify what access is actually encoded in a token before it ships.
π What This Means for You
If you are a developer in Sri Lanka working with AI APIs on a side project, a startup MVP, or a freelance contract, the billing exposure is real and asymmetric. A $10,000 USD charge converts to roughly Rs. 3.1 million at current exchange rates. A spending cap that silently does not apply is not a spending cap.
Three things worth doing today:
Audit your Google Cloud API key scopes. Log in, go to APIs & Services β Credentials, click each key, and check which APIs it can call. If you created it for one service and have not touched it recently, the accessible service list may be longer than you expect.
Prefer per-service service accounts over shared project API keys for anything that touches a billing meter.
Read auto-upgrade notification emails from cloud platforms. Do not treat them as routine. They may be silently raising your financial exposure.
The article's broader point is accurate: this is a genuine transition period, and no one, including Google, has fully worked out the security model for AI deployments at scale. That is not a reason to wait. The attack timelines are already measured in seconds. Your audit cadence needs to be measured in days, not quarters.
Sources: TechCrunch, 24 May 2026. All dollar figures, timings, and quotes cited from the original reporting.