Posting this because I've seen others in this community deal with similar situations and I want this documented publicly.
I run a B2B SaaS company serving universities. In March 2026, our Google Cloud bill jumped from roughly $50/month to $10,138.28 — almost entirely from Veo 3 video generation and Gemini image output tokens. Services we have never used and that have zero connection to our product.
The cause is the documented Truffle Security vulnerability disclosed February 25, 2026.
For anyone unfamiliar: Truffle Security researcher Joe Leon disclosed that Google silently expanded the scope of existing AIza... API keys — keys originally created for Maps, Firebase, or other services — to retroactively cover the Gemini API once it was enabled on the same project. Google's own documentation instructs developers to embed these keys publicly in client-side JavaScript. Google's VDP team internally classified this as a Tier 1 security bug on January 13, 2026. The architectural fix was still incomplete at the time of public disclosure on February 25.
My charges hit in March 2026 — after the public disclosure — while the fix was still in progress.
Full Truffle write-up here: https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules
What happened with support (Case 69366502):
- Opened March 23, 2026
- First agent (Yash) acknowledged "significant and unexpected spike" and escalated to specialized team
- Second agent (Merilyn) explained the Veo 3 / Gemini image cost breakdown but redirected me to Vertex AI billing
- Weeks of silence, multiple follow-ups
- April 25: Case closed — "no signs the account has been compromised"
- April 28: Reopened briefly, then closed again with "unable to confirm fraudulent activity" and a recommendation to contact my bank
The problem with their finding is that it's looking for the wrong thing. The keys weren't stolen or compromised. They were public-facing keys that Google's own architectural change retroactively granted Gemini access. Of course there are "no signs of compromise" — that's not what happened.
I provided the Truffle disclosure URL, the VDP bug classification timeline, and a clear explanation of why the "no compromise" framing misses the point. It didn't move the needle.
A few things I want to know from this community:
- Has anyone successfully gotten a refund specifically citing the Truffle/February 2026 vulnerability? What worked?
- Has anyone heard of any organized legal action or class action being built around this?
- Any Google Cloud contacts at the DevRel or enterprise level who've actually helped in cases like this?
I'm not going away on this one. Happy to share documentation if it helps others in the same situation.
UPDATE May 6 9:18AM: Received a separate escalation email from edge-support@google.com after emailing Google executives. Case now being reviewed by a different internal team. Will keep this thread updated.