Google Cloud Flags My Site’s API as Phishing, Engineer Still Seeks Explanation

Google Cloud’s automated trust‑and‑safety system flagged the personal‑metrics API hosted on Firebase as a phishing site without issuing a prior warning, and the suspension remains in effect despite multiple appeals, according to software engineer Chris Vogt, who maintains the open‑source project on GitHub [Chrisvogt]. Vogt says the flag was triggered after he inadvertently pointed a locally emulated test build at production authentication credentials while converting the codebase from JavaScript to TypeScript. Within minutes the platform sent a “phishing” notice that cited “seriously interfering with the service or other users” as the justification for an immediate suspension, yet it provided no concrete evidence of malicious content [Chrisvogt].

The API in question is a personal backend that aggregates data from third‑party services—Goodreads, Spotify, Instagram, Discogs, and Steam—into Firestore for use by widgets on Vogt’s public site. All endpoints are protected by Firebase Auth and a login screen that restricts sync operations to the developer’s own account. Vogt speculates that the login flow may have been misinterpreted as a phishing vector, but the notification he received offered no details about which URL or request pattern triggered the classification [Chrisvogt]. Because the API does not serve any external customers, the suspension effectively halted the automatic data refresh pipeline, leaving the front‑end widgets static while the site’s home page continues to load from a backup copy [Chrisvogt].

Vogt’s attempts to resolve the issue have run into a procedural dead‑end. After filing an appeal the same day the suspension was enacted, he received no response from Google’s compliance team. An email exchange with a Firebase support engineer named David clarified that Firebase cannot lift suspensions; only Google Cloud’s security and compliance division can, and they suggested either opening a formal appeal, contacting google‑cloud‑compliance@google.com, or purchasing a paid support plan to speak with a “Project Suspension” specialist [Chrisvogt]. Vogt followed those instructions, sending the required ticket numbers to the compliance address, but the inbox has remained silent for nearly a week [Chrisvogt].

The incident arrives amid a broader push by Google Cloud to showcase its security capabilities. VentureBeat reported that the company announced 30 security‑related enhancements at its Cloud Next event, positioning the platform as increasingly resilient against threats [VentureBeat Google Cloud Platform beefs up]. However, Vogt’s experience highlights a gap between high‑level security messaging and the day‑to‑day transparency developers receive when automated systems flag benign traffic. The lack of a clear remediation path or detailed diagnostic data forces developers to either rebuild on alternative infrastructure or absorb prolonged downtime, eroding confidence in the platform’s reliability for personal or low‑scale projects.

Given the uncertainty surrounding the suspension, Vogt is evaluating migration options away from Firebase and Google Cloud altogether. He has already exported the necessary data from Firestore and is running a stripped‑down version of his site on a backup host, but the loss of automated syncs underscores the operational risk of relying on a single cloud provider for critical personal services. As Vogt notes, the episode “makes me question whether I can trust Firebase or GCP to keep a personal (or any) app healthy without warning or explanation,” a sentiment that may resonate with other indie developers who depend on Google’s managed services for low‑cost backends [Chrisvogt].