Update: This issue was resolved on March 16–17, 2026. Read the full update →
Last Saturday I was working on metrics.chrisvogt.me—the small Firebase-backed API that powers the widgets on my personal site. The code is open source at github.com/chrisvogt/metrics. I had just merged a PR that converted the project from JavaScript to TypeScript and was manually testing my changes using the Firebase emulator. In a hurry, I pointed the staging, emulator-backed app at production auth credentials without realizing they were for the wrong environment.
Within minutes, I got an email from Google. The gist:
Dear Developer,
We have recently detected that your Google Cloud Project Personal Metrics API (id: personal-stats-chrisvogt) has been hosting content that appears to be phishing and violating our Terms of Service. Based on our investigation the phishing content is located at the following location(s).
Site Name: personal-stats-chrisvogt
It ended with:
Please note, you may have received a warning that we would suspend the url if you did not correct the violation. If you didn’t receive a warning, it was because your project’s behavior was seriously interfering with the service or other users. Google was forced to suspend the url in order to protect the integrity of the system.
The notice didn’t cite an earlier warning. The template allows that when Google believes a project is seriously interfering with the service or other users. The only activity I can line up with the timing is emulator traffic accidentally pointed at production auth credentials—operator error on my side, not a published phishing kit—but the message didn’t spell out what rule or classifier fired.
What my website’s API actually does
My website’s API isn’t a product or a SaaS. It’s my own backend: it fetches data from Goodreads, Spotify, Instagram, Discogs, and Steam, transforms it for the front end, and caches it in Firestore. There are authenticated endpoints to manually trigger syncs for those integrations, behind Firebase Auth and a login screen—because only I should be kicking off sync jobs.
Whether the Firebase Auth login surface contributed to classification, I don’t know—the email stayed high level. Almost a week in, detailed feedback still hadn’t come back through appeal or compliance inboxes (later resolved once Safe Browsing cleared—see below).
What I’ve tried
I filed an appeal the same day and didn’t get a substantive answer back in the first several days.
I emailed Firebase Support the same day. David replied quickly and clarified that Firebase can’t lift GCP-side suspensions—that Google Cloud owns security and compliance—and suggested the appeal portal, Search Console (not applicable here), google-cloud-compliance@google.com, or paid Google Cloud Support for a suspension specialist.
I sent google-cloud-compliance@google.com the GCP and Firebase case numbers too. Same window: no meaningful reply yet.
Escalation was split across products and mailboxes—each step made sense individually, but there wasn’t one place to watch status end to end until things started moving later in the week.
Where things stand
(Written mid-outage; see the March update at the end for resolution.)
I exported what I needed from the database and pointed the home page at a backup so it kept serving. Widgets stopped updating automatically because the sync pipeline was tied to the suspended hostname.
The delay between flag and an all-clear explanation was awkward for a side project—and would matter more under customer SLAs. I’m documenting the stack-specific failure mode for others weighing the same tradeoffs.
Next: introduce adapters so the metrics service and widgets can talk to more than one hosting path. The open-source repo should benefit from that portability—Vercel, Fly.io, a small Node host, whatever fits.
If you run Firebase Auth with a login UI, treat emulator and production credentials as hard boundaries. I thought I was doing routine QA; the traffic still tripped automated enforcement, the URL went down, and timelines only became visible through several channels at once.
Reference (for support and transparency):
- Firebase Case: 10398734
- GCP Trust & Safety Case: YYCQAG2IWBMVSIWXMNLXF3UQUM
Update (March 2026)
On March 16, the Google Safe Browsing block was lifted. By March 17, everything was back online and the widgets were syncing again.
The incident also pushed a few architectural decisions forward: rewriting the metrics app with provider-agnostic adapters, and converting the project to TypeScript to define stronger boundaries between front and back end. Net neutral, eventually.