Hi,<p>In 2017, I made a Google Cloud Account to use Google Maps API for a Computer Science student group project and put my debit card in. I naively put a $5 account notification in, thinking it was a cap. This project was defunct after 2017 and I should have just closed the Cloud account.<p>All was fine up until January 2019 when the Google Cloud Credentials were somehow stolen and over the course of two days on Google Maps API, racked up enough API calls to generate over $14k invoice. I disabled the Google Cloud Account a day after I noticed an email from Google Cloud. Google Cloud did try to use debit card to deduct from checking account, but I don't leave thousands sitting around in it, so charge was declined.<p>I talked to Google Cloud Billing and they have not been helpful, telling me to contact my bank. Today, I got a scary email from a collections agency demanding I login to my Google Cloud account and pay the bill! Worst part is, this API used to be free, until Google started charging exorbitant amounts for it.<p>I know I did not make these API calls -- if you looked at the call volume history, there was nothing for well over a year, until those two days in 2019, it started going crazy (and the project is not running on any server or being used in any way). I suspect a group member might have accidentally leaked the credentials.<p>I know AWS has waived costs[1] like this in the past, but Google is not known for customer support. I should have been more proactive in setting up a cap.<p>Appreciate any advice or Google contacts to talk to an actual human. Should I see if Google is willing to actually verify this was unauthorized usage or just lower the bill? I'll eat a few thousand just to make this go away.<p>To say GCP has left a sour taste in my mouth is an understatement!<p>Thanks for reading.<p>[1] https://dev.to/juanmanuelramallo/i-was-billed-for-14k-usd-on-amazon-web-services-17fn
Sorry this happened to you! Feel free to send me your case number (email in profile), and I'll escalate it.<p>The Support personnel have hopefully been helping out, as all Billing Issues are covered regardless of support tier. I obviously don't know the ins and outs of payment instrument refunds / do debit cards mean that you actually do have to contact your bank, but I'm sure people in Support do.
I’ve heard so many stories of something similar happening on AWS and after an email to support, all of the charges were dropped.<p>This isn’t exactly helping Google to fight the narrative that it isn’t good with customer support and they can’t be trusted as a platform for business.<p>So if you were a person deciding who to choose as your cloud provider, who are you going to choose?<p>AWS - “No one ever got fired for choosing AWS”<p>Microsoft - well known for their enterprise support and there are plenty of MS Shops out there.<p>Or<p>Google?
Before disputing the charge, be sure to back up all data and contact info from your Google accounts. Fighting charges has been known to trigger account lockouts with no appeal.
Did you check your Github repos and associated commit history for accidental push of secret files? There's an article on the HN front page describing secret leakage in Github repos (the most common is Google API keys, go figure)[1]. I imagine somebody out there has a bot to monitor pushes in realtime to extract secrets. You or a team member might have leaked keys in a similar manner.<p>[1]: <a href="https://blog.acolyer.org/2019/04/08/how-bad-can-it-git-characterizing-secret-leakage-in-public-github-repositories/" rel="nofollow">https://blog.acolyer.org/2019/04/08/how-bad-can-it-git-chara...</a>
Google will typically waive charges in cases like this.<p>The only time they won't is if (by looking at the logs) they decide you were probably scraping and storing all their data.
Make them prove you used it to generate the charges. Make them provide IPs etc.<p>You need to say it was used fraudulently and you don’t agree to the charges.
Next use a credit card. Basically thanks to credit card laws the bank will go tell google to f off and give you your money back. Debit cards don't have the same protection, but just call your bank or OCS (<a href="https://www.occ.treas.gov/" rel="nofollow">https://www.occ.treas.gov/</a>). They have a little more bite.
I dunno if google lets you do this but amazon/azure will pretty reliably let you create new free tier accounts with fake emails and access them from the same IP. i just create a new debit/credit card every 6 months(it's pretty hassle free in india).<p>i do pay for production instances, i just don't want to mess around on those production instances