A developer experienced a €54,000 billing spike after enabling Firebase AI Logic on a project that had been used only for authentication. The charges occurred within 13 hours when automated traffic exploited an unrestricted browser API key to make Gemini requests. The traffic pattern showed no correlation with actual users and stopped immediately when credentials were rotated.

Budget alerts triggered with several hours' delay, by which time costs had already reached €28,000. Google Cloud classified the charges as valid usage since they originated from the project, denying the billing adjustment request. The incident highlights risks when browser keys lack proper API restrictions, even on projects that previously had minimal usage.

This case raises questions about Firebase AI Logic security defaults and whether current safeguards like App Check and quotas are sufficient. Developers report similar concerns about unexpected API costs when enabling AI features. The incident suggests a need for more robust protection mechanisms, especially for projects transitioning from simple authentication to AI functionality.