Student Charged $14k on Stolen Google Cloud Credentials
In 2017, I made a Google Cloud Account to use Google Maps API for a Computer Science student group project and put my debit card in. I naively put a $5 account notification in, thinking it was a cap. This project was defunct after 2017 and I should have just closed the Cloud account.
All was fine up until January 2019 when the Google Cloud Credentials were somehow stolen and over the course of two days on Google Maps API, racked up enough API calls to generate over $14k invoice. I disabled the Google Cloud Account a day after I noticed an email from Google Cloud. Google Cloud did try to use debit card to deduct from checking account, but I don't leave thousands sitting around in it, so charge was declined.
I talked to Google Cloud Billing and they have not been helpful, telling me to contact my bank. Today, I got a scary email from a collections agency demanding I login to my Google Cloud account and pay the bill! Worst part is, this API used to be free, until Google started charging exorbitant amounts for it.
I know I did not make these API calls -- if you looked at the call volume history, there was nothing for well over a year, until those two days in 2019, it started going crazy (and the project is not running on any server or being used in any way). I suspect a group member might have accidentally leaked the credentials.
I know AWS has waived costs[1] like this in the past, but Google is not known for customer support. I should have been more proactive in setting up a cap.
Appreciate any advice or Google contacts to talk to an actual human. Should I see if Google is willing to actually verify this was unauthorized usage or just lower the bill? I'll eat a few thousand just to make this go away.
To say GCP has left a sour taste in my mouth is an understatement!
Thanks for reading.
[1] https://dev.to/juanmanuelramallo/i-was-billed-for-14k-usd-on-amazon-web-services-17fn
36 comments
[ 5.4 ms ] story [ 73.2 ms ] threadYou need to say it was used fraudulently and you don’t agree to the charges.
The call volume itself looks suspicious. No calls for well over a year and then suddenly an incredible amount? You would think Google would have some algorithm to detect this?
If they send it to collections you can dispute it. A lot of laws and things around that.
It sounds like it hasn’t been charged off yet though, since they want you to pay Google, not them.
I wish you luck. :)
This isn’t exactly helping Google to fight the narrative that it isn’t good with customer support and they can’t be trusted as a platform for business.
So if you were a person deciding who to choose as your cloud provider, who are you going to choose?
AWS - “No one ever got fired for choosing AWS”
Microsoft - well known for their enterprise support and there are plenty of MS Shops out there.
Or
Google?
The google customer experience is just horrific.
The only time they won't is if (by looking at the logs) they decide you were probably scraping and storing all their data.
[1]: https://blog.acolyer.org/2019/04/08/how-bad-can-it-git-chara...
Disputing a charge with your credit card company doesn't change that. The credit card company might side in your favor and reverse the charges, but the original company can still pursue payment with you directly. Their claim can even show up on your credit report. I remember working with a payment processor in Europe that even automated sending a bill to collections if it was charged back by the consumer's credit card company.
that's just one use case, DDOSing an API/website through seemingly legit requests from the G3's cloud infrastructure is another.
Lots of things you can do with massive amounts of computing power. It doesn't have to be sustainable in the short term, you just keep repeating the process and the value adds up fast
The Support personnel have hopefully been helping out, as all Billing Issues are covered regardless of support tier. I obviously don't know the ins and outs of payment instrument refunds / do debit cards mean that you actually do have to contact your bank, but I'm sure people in Support do.
I certainly don't think a student just learning the ins and outs of a cloud provider's services should be able to spend 10k+ without warnings/thresholds that require configuration to exceed. It would be positive for platform adoption to make that process better.
Why? Do you never ever make mistakes?
I found my new email signature.
I agree completely-- Google's practices are terrible here. Who in their right mind would render $14,000 worth of services to a customer for which no due diligence was performed? They never stopped to make sure someone whose usage went from zero to the stratosphere was legit or has the ability to pay such a bill?
No other industry would do something so amateur. Lawyers work on retainer. Bartenders will preauthorize your card before letting you clean out the top shelf. Landlords do credit/background checks before letting you assume tenant rights under their roof. Steam will block your credit card until verification if you buy one too many hats. Know your fucking customer!
eFax and stamps.com are the only other businesses I'm aware of who do stuff like this, and it's done by design. You forget to cancel your free trial or account, they'll let the subscription bills accrue into the thousands and then send debt collectors after you to shake you down for a settlement.
Not to blame the victim, but at the time the original charges happened, OP didn't respond to the Support person for 3-days (our usual timeout) on "Hey, is this resolved on your side?". Tell them no! :). Glad this got resolved quickly though.
i do pay for production instances, i just don't want to mess around on those production instances