I recently enabled Gemini in one of my projects.

A few days ago (11th April 2026) my project was suspended due to activity consistent with Account Hijacking. There’s no evidence of any server keys being leaked.

I checked the Google Cloud billing console and saw calls to Gemini API models that we don’t call anywhere in our project, which means an unauthorized user called those models using our Firebase configuration.

The scary part for any developer using the Gemini Web sdk is no secret key is required to call the models. The public Firebase config keys are all that’s required.

The only way to prevent unauthorized usage is to enable APP CHECK for AI Logic.

I feel that Google Cloud should require App Check enforcement for AI logic to prevent this. This could affect any project where Gemini API is enabled and uses the Gemini Web sdk.

The worst part is despite now enforcing App Check for AI logic, and submitting an appeal for reinstatement to Google Cloud, my project remains suspended 4 days later even with paid support.

I would recommend having core parts of your project to be fully replaceable parts, like Supabase, replaceable auth, etc.

Relying solely on Firebase is something I regret.

I can’t believe the response times for issues as critical as project reinstatements.

Has anyone had a similar case, and how did you get it resolved?