Google Cloud customer wakes up to $18,000 bill despite $7 budget

· security tools startup · Source ↗

Article

TL;DR

GCP billing caps are alerts, not hard limits; attacker burned $18k despite a $7 budget setting.

Key Takeaways

  • GCP spending caps don’t stop charges — they send alerts while billing continues
  • A leaked API key + 60k requests blew past a $1,400 soft cap to $18,000
  • AWS and Azure have similar non-hard-stop billing behavior; architecture risk for all cloud users

Discussion

Top comments:

  • [victor106]: GCP should offer hard service shutoffs when budget cap is hit
  • [ReptileMan]: A budget that doesn’t cap spending is not a budget
  • [perryizgr8]: Hard billing limits are technically feasible; Google lacks motivation to build them

Discuss on HN