Krux
March 1, 2026
Google API Keys Became Gemini Credentials Without Warning
Published: March 1, 2026 at 2:11 PM
Updated: March 1, 2026 at 2:11 PM
100-word summary
Truffle Security scanned November 2025 web data and found 2,863 live Google API keys sitting in public code. The twist? When Gemini API is enabled, these historically harmless keys suddenly grant access to uploaded files, cached content, and can rack up AI bills. Victims include financial institutions, security firms, and Google itself. Google has since restricted leaked keys and changed how new keys work, but the damage exposes a deeper problem: APIs that were safe to treat casually became authentication credentials overnight. Anyone who copy-pasted a Google API key into client-side code years ago may have accidentally published Gemini access to the entire internet.
What happened
Truffle Security scanned November 2025 web data and found 2,863 live Google API keys sitting in public code. The twist? When Gemini API is enabled, these historically harmless keys suddenly grant access to uploaded files, cached content, and can rack up AI bills. Victims include financial institutions, security firms, and Google itself.
Why it matters
Google has since restricted leaked keys and changed how new keys work, but the damage exposes a deeper problem: APIs that were safe to treat casually became authentication credentials overnight. Anyone who copy-pasted a Google API key into client-side code years ago may have accidentally published Gemini access to the entire internet.