Yes, i did it. What amaze me is that bots are scanning github for searching free api keys. And i can understand that, but what is weird. They were able to activate different api (compute engine) host 3 virutal machines and use it to mine crypto. A question is, isn't it vulnerabilty that they can host virtual machines and use different api ? I had to shut down whole project.
Depending on the role assigned to compromised service-account - attacker can do everything or nothing.
There are some basic "best practices" regarding keys and service accounts that should be usefull to you.
Generally use (if possible) different service account to manage VM's or/and rotate keys weekly or twice a week (just like the Google-managed ones) and avoid putting any API keys into repositories that can/will be synchronised with public ones :)
Yes - sounds silly but slip-up's happen and this will make unathorised access way less likely or impossible.
Also fallowing "least privilege" rule may be worth going for - compromised credentials will not be much usefull then.