Legacy Google Cloud API Keys Gaining Unintended Access to Gemini APIs
Security researchers reported that previously “non-secret” Google Cloud API keys (commonly embedded in public client-side code for services like Google Maps, YouTube embeds, Firebase, and analytics) can silently become usable credentials for Gemini (Generative Language API) endpoints once the Gemini API is enabled in the same Google Cloud project. Truffle Security described this as a privilege escalation/incorrect privilege assignment scenario where long-exposed AIza... keys—originally treated as project identifiers for billing and API access control—can unexpectedly grant access to Gemini-related data and capabilities, including access to private AI resources (e.g., uploaded files/cached context) and billable inference usage, without clear developer warning or explicit re-authorization.
Truffle Security’s internet-scale scanning (including Common Crawl) identified ~2,800–3,000 exposed keys across organizations in multiple sectors (and reportedly even from Google), highlighting the practical risk of key harvesting from page source and subsequent abuse. The primary impact described is data exposure via Gemini API access and cost/abuse risk (attackers potentially generating significant charges by making API calls). Separate from the API-key issue, Google also announced a Gemini feature update for Google Workspace that allows Gemini to search Google Chat history (noted as off by default), which is a product capability announcement rather than a vulnerability disclosure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Quokka reports 35,000+ Google API keys embedded in Android apps
A separate Quokka report found more than 35,000 unique Google API keys embedded across roughly 250,000 Android apps. The finding underscored how AI-enabled endpoints like Gemini can increase the impact of widespread API key exposure beyond websites alone.
Researchers say root-cause architectural fix remains in progress
At disclosure time, researchers said Google's mitigations reduced risk but did not fully resolve the underlying architectural problem of shared API key behavior across services. They advised organizations to audit whether Gemini was enabled, restrict and rotate exposed keys, and scan codebases for public AIza keys.
Google acknowledges report and deploys mitigations for leaked keys
Google said it classified the issue as a single-service privilege escalation and implemented measures to detect and block leaked keys attempting to access Gemini. The company also said new AI Studio keys would default to Gemini-only scope and that affected users would be notified when leaks are detected.
Truffle Security discloses exposed-key Gemini access issue
By late February 2026, Truffle Security publicly reported that publicly exposed Google Cloud API keys could be abused to access Gemini APIs, potentially exposing private data and causing significant costs. The researchers said they found nearly 3,000 exposed keys across many organizations, including some associated with Google.
Unauthorized Gemini usage racks up $82,314.44 on stolen API key
A startup developer reported that a compromised Google Cloud API key was abused between February 11 and February 12, 2026, generating $82,314.44 in unauthorized Gemini charges within 48 hours. The usage was said to be primarily for Gemini 3 Pro Image and Gemini 3 Pro Text.
November 2025 Common Crawl scan finds thousands of exposed Google keys
Truffle Security scanned the November 2025 Common Crawl dataset and identified thousands of publicly exposed Google Cloud API keys. The researchers later reported that 2,800+ of these keys were still live and could authenticate to Gemini when the Generative Language API was enabled on the same project.
Gemini enablement turns legacy public API keys into higher-risk credentials
Researchers determined that when Gemini/Generative Language API is enabled in a Google Cloud project, existing unrestricted API keys in that project can silently gain access to Gemini endpoints. This created an order-of-events privilege escalation in which previously public-facing keys could expose Gemini files, cached content, and billable usage.
Google guidance led developers to expose some API keys publicly
For years, Google documentation treated certain API keys used for services like Maps and Firebase as non-secret identifiers that could be embedded in client-side code. This created a large legacy population of publicly accessible AIza-format keys across websites, repositories, and apps.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
Create Google Gemini API Key Check by mestizo · Pull Request #15652 · projectdiscovery/nuclei-templates · GitHub
github.com
Open sourceDev stunned by $82K Gemini API key bill after theft • The Register
go.theregister.com
Open sourceZero-Infra Cloud Exploitation: Hijacking Google’s Gemini via Public API Keys | by Sohan Kanna | Mar, 2026 | InfoSec Write-ups
infosecwriteups.com
Open sourceGoogle API Keys Exposed: How Gemini Changed Security
vulnu.com
Open sourceGoogle API Keys Expose Private Data Silently Through Gemini
cybersecuritynews.com
Open sourceGoogle API Keys Weren't Secrets. But then Gemini Changed the Rules. ◆ Truffle Security Co.
trufflesecurity.com
Open sourcePreviously harmless Google API keys now expose Gemini AI data
bleepingcomputer.com
Open sourceAI Hijack: How I Took Control of an AI Assistant - Security Breached Blog
blog.securitybreached.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Stolen Google Gemini API Key Abuse Triggers $82K in Unauthorized Cloud Charges
A small three-person software team reported that a **stolen Google Cloud/Gemini API key** was abused to run up **$82,314.44 in charges in roughly 48 hours**, a ~455x spike from their typical **$180/month** spend. The attacker(s) allegedly hammered the **Gemini 3 Pro Image** and **Gemini 3 Pro Text** endpoints, and the victim stated they deleted the compromised key, disabled Gemini APIs, rotated credentials, enabled 2FA, and tightened **IAM** controls while opening a support case. Both reports indicate Google support initially pointed to the cloud **Shared Responsibility Model**, signaling the customer may remain liable for charges tied to compromised credentials. The incident was framed as a cautionary example of how exposed or poorly-scoped API keys can become high-impact AI credentials; one report cited research indicating **thousands of legacy Google API keys** have been found exposed on public websites and warned that default or **“Unrestricted”** API key settings can enable catastrophic cost exposure unless organizations implement guardrails such as billing budgets/caps, API key restrictions (API/IP/referrer scoping), and tighter quota limits.
Mar 21, 2026
Deleted Google API Keys Stayed Valid Long Enough for Continued Abuse
Aikido Security reported that standard Google Cloud API keys can continue authenticating for **up to 23 minutes after deletion**, with a median revocation delay of about 16 minutes across 10 tests. The researchers said the gap appears tied to Google’s eventually consistent backend infrastructure, producing inconsistent, region-dependent results in which repeated requests may still reach servers that accept a supposedly deleted key. The behavior was observed not only for **Gemini** access but also for other Google Cloud APIs including **BigQuery** and **Maps**, contradicting Google Cloud interface messaging that deleted keys can no longer be used immediately. Researchers warned that the post-deletion window could let attackers keep using leaked keys to access enabled services, exfiltrate uploaded files or cached Gemini conversation context, and generate substantial cloud charges, especially where automatic billing tier upgrades raise spending caps during spikes. Aikido said newer Gemini-specific API keys revoked in about a minute and service account keys in roughly five seconds, indicating faster revocation is technically feasible, but Google reportedly classified the delayed revocation as intended behavior and closed the disclosure as **"won't fix."** The firm advised defenders to treat API key deletion as a **30-minute incident-response process** and closely monitor usage after revocation.
May 22, 2026
GeminiJack No-Click Prompt Injection Vulnerability in Google Gemini Enterprise
Google addressed a critical vulnerability in its Gemini Enterprise AI assistant, identified as GeminiJack, which allowed attackers to exfiltrate sensitive corporate data through a no-click prompt injection attack. Discovered by Noma Labs, the flaw enabled malicious actors to embed hidden instructions within commonly shared documents, calendar invites, or emails. When an employee performed a standard search using Gemini Enterprise, the AI could automatically retrieve and execute these hidden instructions, granting attackers access to confidential information without any user interaction or warning. The vulnerability stemmed from an architectural weakness in how Gemini Enterprise and Vertex AI Search interpret and process information across integrated Workspace data sources, including Gmail, Calendar, and Docs. Attackers could leverage this flaw to extract entire document stores, calendar histories, and years of email records by simply embedding indirect prompt injections in shared artifacts. Google has since fixed the issue following responsible disclosure by Noma Security, highlighting the risks associated with integrating AI assistants into enterprise environments without robust safeguards against prompt injection attacks.
Mar 21, 2026