When Panos Ipeirotis checked his Amazon Web Services bill last week, he started to sweat. It was $1,177.76 – much more than he'd ever been charged before – and it was going up another $50 to $100 with each passing hour. He had no idea why.

After a some investigation, he found the problem. He had accidentally invented a brand new type of internet attack, thanks to an idiosyncrasy in the online spreadsheets Google runs on its Google Docs service, and he had inadvertently trained this attack on himself. He calls it a Denial of Money attack, and he says others could be susceptible too.

As the world moves more and more information to cloud services from the likes of Amazon and Google, these services don't always interact as effectively as they should. Amazon Web Services can save you money, but Ipeirotis' tale also shows that there are cases where the cloud can backfire.

Ipeirotis, an information operations professor at New York University, had created a pretty unusual spreadsheet. As part of an experiment in how to use crowdsourcing to generate descriptions of images, he had posted thumbnails of 25,000 pictures into a Google document, and then he invited people to describe the images. The problem was that these thumbnails linked back to original images stored on Amazon's S3 storage service, and apparently, Google's servers went slightly bonkers. "Google just very aggressively grabbed the images from Amazon again and again and again," he says.

Soon Google had sucked nearly nine terabits of bandwidth from Ipeirotis' Amazon storage servers. And bandwidth like that costs money.

After speaking with Google representatives, Ipeirotis believes that the company is trying to balance user privacy with a desire to present fresh content. To protect users' privacy, Google doesn't want to actually store the images or links in the spreadsheet on its servers, so it simply fetches them again and again, making sure that it's presenting the latest version of any image. In his case, it just didn't work out.

He believes that Google is going to fix the issue – perhaps teaching its servers to check for changes before fetching new images – but in the meantime, someone could set up a similar spreadsheet and suck a whole lot of bandwidth from someone they didn't like. "Google becomes such a powerful weapon due to a series of perfectly legitimate design decisions," Ipeirotis wrote in a blog posting on the issue.

"We're aware of this report and are investigating it," says Google spokesman Jay Nancarrow.

Lucky for Ipeirotis, Amazon forgave the charges after he explained what had happened.

Ipeirotis would call it a denial of service attack, except for the fact that Amazon's cloud scales up to meet demand. But the attack did deny him money. At least for a little while.