How to Handle API Key Theft and Unauthorized Charges

Immediate actions after API key theft

If an API key has been stolen and is generating unauthorized API charges, act fast. Short, decisive steps limit damage. Revoke the exposed key immediately and rotate credentials to lock down access.

The longer a key remains active, the more cost and risk it creates. If you are in onboarding or an internship environment, move even faster: accidental commits to repositories and shared IDEs are common leak vectors.

Quick checklist (first 30 minutes)

• Revoke the key: Disable or delete the compromised API key in your provider console.
• Rotate credentials: Create a new key with least-privilege permissions and update only services that need it.
• Cut billing impact: Set or raise budgets and alerts, and pause nonessential services.
• Collect evidence: Screenshot logs and usage spikes, save timestamps, and note IPs or request IDs.
• Notify stakeholders: Tell your ops, security, and billing teams right away.

Why revoked keys matter and what "rotation" does

Revoking a key stops new requests from the compromised credential. Rotation replaces the secret with a new credential and updates systems that rely on it. Both are essential: revocation stops immediate abuse while rotation prevents accidental reuse in automation or code.

How API key theft leads to unauthorized API charges

Cloud and API platforms bill for resource use and cannot tell if a request is legitimate or malicious. That is why you can still be charged for unauthorized API usage. For example, Google Maps Platform states users are financially responsible for charges caused by abuse of unrestricted API keys.

Attackers routinely scan public repositories and other sources for leaked keys and then spin up operations that incur cost.

Common exposure vectors

• Accidentally committed keys in public Git history. Even deleted commits can be scanned and scraped.
• Shared IDEs or VMs used in internships and temporary project setups.
• Client-side keys embedded in web apps without proper restrictions.
• Temporary test keys left unrestricted or with broad permissions.

Automated bots continuously scan sites like GitHub for secrets. Read more about secret scanning at GitHub's secret scanning docs.

Detection: how to spot unauthorized API usage and theft

Look for sudden spikes in usage and unusual API endpoints being called. Check request origins, IP ranges, and geolocation. Most providers expose usage logs and metrics you can filter by API key.

Implement the following detection measures:

• Enable detailed request logging and retain logs long enough to investigate.
• Set billing and usage alerts in your cloud console. See Google Cloud billing resources for guidance.
• Use secret-scanning tools like GitHub's built-in scanning or third-party scanners referenced by security vendors.
• Lock down keys with referrer, IP, or expiration restrictions when possible.

Step-by-step remediation after discovery

1. Revoke and rotate keys. Delete the compromised key and create a new one, deploying it securely.
2. Audit logs and identify damage. Map the time window of abuse, endpoints hit, and costs incurred.
3. Isolate affected systems. If the leaked key was used in an app or VM, isolate and scan for additional secrets.
4. Harden permissions. Replace broad keys with scoped credentials that only allow necessary API operations.
5. Set usage limits. Apply quotas per API key and per project to cap potential damage.
6. Secure secrets storage. Move keys into a secrets manager or environment variables injected at runtime, never checked into version control.

For credential best practices, see summaries such as Google Cloud's API keys best practices and vendor-specific guidance like Anthropic's API key best practices.

Navigating billing disputes for unauthorized API charges

After you have stabilized the technical side, handle billing. This often takes time. Some providers may refund clearly fraudulent charges while others may not. The process usually requires documentation and that you control the billing account.

Practical steps for billing disputes

• Contact billing support immediately. For Google Cloud, start with billing support and the billing issue resolution resources.
• Be a billing admin. You usually must be a Billing Account Administrator to open and manage a dispute.
• Provide evidence: Request logs, timestamps, revoked key IDs, and remediation steps you have taken.
• Use provider forms when required. Some providers require specific forms if charges appear on accounts you do not control.
• Follow up and escalate: Keep records of every contact and escalation. Escalate through support channels or your sales rep if needed.

Cloud providers' policies vary. Check vendor terms like Gemini's API agreement or other platform agreements to understand liability and responsibilities.

Legal and financial responsibility: what to expect

Many service agreements place responsibility for managing API key security on users. That means you may be held financially liable for charges caused by a leaked key, especially if the key had no usage restrictions. Prevention and rapid response are vital.

If your organization is a victim because an intern or contractor exposed a key, treat it as an incident. Document what happened, why it happened, and what steps you took. That documentation helps when you ask providers for help or when you consider insurance or legal recourse.

Prevention: long-term API key security best practices

Prevention is easier and cheaper than remediation. Implement these best practices to avoid API key theft and unauthorized charges:

• Least privilege: Create keys with minimal permissions. Use service accounts or OAuth where possible.
• Short-lived credentials: Prefer tokens that expire and get rotated automatically.
• Secrets management: Store keys in a managed secret store, not in source control or plaintext files.
• Repository scanning: Enable GitHub secret scanning and use third-party scanners on commits and history.
• Automated alerts: Set billing quotas and usage alerts so you notice anomalies early.
• Network restrictions: Restrict keys by IP, referrer, or VPC when the provider supports it.
• Onboarding controls: Train interns and junior devs on secure handling of keys. Enforce policies in templates and IDEs.
• Code reviews and pre-commit hooks: Block commits containing secrets with git hooks and CI checks.

Practical policies for small teams

If you are a startup or small team, pragmatism wins. Use managed secret stores, set low billing alerts, and make key rotation part of the deploy pipeline. Treat keys as sensitive credentials during interviews and onboarding.

Case study: internship exposure leading to €2,000 in charges

Scenario: An intern used a company IDE to test a small prototype and inadvertently committed a provider API key to a repository. Bots or an attacker discovered the key and ran heavy workloads, resulting in about €2,000 in unauthorized charges.

Lessons learned and actions taken:

• Immediate: The team revoked the key, rotated credentials, and isolated the environment.
• Investigation: Logs showed the window of abuse; they collected request IDs and timestamps for the billing dispute.
• Billing: The billing admin contacted provider support, submitted evidence, and requested a review. The provider offered limited reimbursement after confirming the key was abused and after changes were made.
• Prevention: They implemented secret scanning, enforced pre-commit hooks, added onboarding training for interns, and used short-lived service tokens with IP and referrer restrictions.

Fast remediation, clear logs, and better controls reduced the chance of recurrence.

Recovery checklist (24–72 hours)

1. Rotate all affected keys and verify systems work with new credentials.
2. Enable or tighten quotas and billing alerts.
3. Conduct a postmortem and document root cause and fix timeline.
4. Report the incident to billing support and provide logs and remediation evidence.
5. Update onboarding and CI/CD processes to block future secret leaks.

Tools and resources

• GitHub Secret Scanning
• GitGuardian's guide to leaked secrets
• Google Cloud API keys best practices
• Google Cloud billing issue resolution
• Anthropic API key guidance

Final thoughts: what matters most

Be calm and methodical when responding to an API key theft incident. Quick technical action limits immediate damage. Good logging and documentation improve your chance of success when disputing unauthorized charges.

Prevention practices reduce the probability of a repeat incident. If you are running code with cloud APIs, assume secrets will be targeted and build controls accordingly.

Next step: revoke any suspect key now, gather logs, and open a billing support case. It's the fastest path to containment and recovery.