Full Report
Left hand, meet right hand
Analysis Summary
# Incident Report: Compromised Firebase Service Account Key
## Executive Summary
A solo developer experienced an account takeover of his Google Cloud Platform (GCP) environment via a compromised Firebase admin SDK service account key. Over a 48-hour period, threat actors utilized the key to generate over $11,000 in fraudulent charges, primarily through Gemini AI image-generation models. Despite Google’s automated systems detecting the "abusive activity" and suspending the account, the organization has held the developer financially liable for the charges.
## Incident Details
- **Discovery Date:** June 7, 2026
- **Incident Date:** June 7 – June 8, 2026
- **Affected Organization:** Charles Jones (Solo Developer)
- **Sector:** Technology / SEO / Insurance
- **Geography:** Undisclosed (likely United States)
## Timeline of Events
### Initial Access
- **Date/Time:** June 7, 2026
- **Vector:** Compromised API/Service Account Key
- **Details:** A `firebase-adminsdk` service account key was obtained by a third party. The specific source of the leak (e.g., repository leak, VM compromise, or intercept) remains unverified.
### Lateral Movement
- The attacker used the administrative privileges of the Firebase SDK key to access Google Cloud Project resources, specifically leveraging AI and Machine Learning APIs.
### Data Exfiltration/Impact
- **Financial Impact:** $11,089.77 in unauthorized usage charges.
- **Resource Abuse:** Massive scale generation of AI images using Gemini models.
### Detection & Response
- **June 7, 2026:** Google’s Trust & Safety team detected "abusive activity consistent with hijacked resources" and suspended the account.
- **Post-Detection:** The developer received notification, reported the compromise to Google, disabled the affected service account, and revoked the compromised key.
- **Recovery:** Account reinstated following remediation, but billing dispute remains active as Google refuses to waive charges.
## Attack Methodology
- **Initial Access:** API Key / Service Account Key compromise (`firebase-adminsdk`).
- **Persistence:** Not applicable; the attacker used valid (though stolen) credentials to perform actions.
- **Privilege Escalation:** Use of an Administrative SDK key provided high-level access by default.
- **Defense Evasion:** Use of legitimate cloud APIs; however, the volume of requests eventually triggered automated fraud detection.
- **Credential Access:** Stolen service account key (Method of theft unknown).
- **Lateral Movement:** Cloud API access across services.
- **Collection:** N/A.
- **Exfiltration:** N/A.
- **Impact:** Financial exhaustion and resource hijacking for AI generation.
## Impact Assessment
- **Financial:** $11,089.77 in direct cloud billing costs.
- **Data Breach:** No report of sensitive data exfiltration; primary impact was "compute" and "API" theft.
- **Operational:** Account suspension led to temporary service disruption for the developer’s programmatic SEO/insurance sites.
- **Reputational:** Minimal public impact, but highlights risks to solo developers using GCP.
## Indicators of Compromise
- **Behavioral indicators:** Sudden, massive spike in Gemini image-generation API calls inconsistent with established baseline usage.
- **Service Account:** Activity associated with `firebase-adminsdk`.
## Response Actions
- **Containment:** Google suspended the GCP account.
- **Eradication:** The developer manually disabled the hijacked service account and revoked the compromised JSON keys.
- **Recovery:** Identity verification and account reinstatement through Google Cloud Support.
## Lessons Learned
- **Shared Responsibility Ambiguity:** Google’s "Shared Responsibility Model" assumes customer negligence in the event of a key leak, even if the customer cannot find evidence of a leak on their end.
- **Lack of Hard Spending Caps:** Budget alerts in GCP do not automatically stop services; they only notify the user. Relying on them is insufficient to prevent Five-figure losses in a short timeframe.
- **Forensic Gap:** Google provided notices of "abusive activity" but did not provide the developer with logs or forensic details (IPs, geolocations, or access paths) to help identify the source of the leak.
## Recommendations
- **Implement Hard Quotas:** Manually set API usage quotas (e.g., Gemini API requests per day) to a level just above normal usage to prevent runaway costs.
- **Automated Billing Shutdown:** Deploy a Cloud Function triggered by Cloud Billing Pub/Sub notifications to programmatically disable billing or shut down resources when thresholds are met.
- **Key Rotation:** Implement a strict rotation policy for service account keys and avoid storing them in plaintext on VMs.
- **Secret Management:** Use Google Secret Manager or Workload Identity Federation instead of static JSON service account keys where possible.