Krux
March 2, 2026
2,863 Google Keys Now Unlock Gemini by Accident
Published: March 2, 2026 at 6:08 PM
Updated: March 2, 2026 at 6:08 PM
100-word summary
A security scan found nearly 3,000 Google API keys sitting on public websites that quietly gained access to Gemini once the Generative Language API was enabled. The catch: old keys you never treated as secrets suddenly became credentials for private files and unlimited billable Gemini calls. Google defaults new keys to "Unrestricted," so turning on Gemini retroactively upgrades every existing key in that project. One exposed key had been public since February 2023. Google now blocks leaked keys and limits new ones, but the incident reveals a hard truth: adding AI capabilities to your existing setup can instantly turn boring configuration into live security holes.
What happened
A security scan found nearly 3,000 Google API keys sitting on public websites that quietly gained access to Gemini once the Generative Language API was enabled. The catch: old keys you never treated as secrets suddenly became credentials for private files and unlimited billable Gemini calls. Google defaults new keys to "Unrestricted," so turning on Gemini retroactively upgrades every existing key in that project. One exposed key had been public since February 2023.
Why it matters
Google now blocks leaked keys and limits new ones, but the incident reveals a hard truth: adding AI capabilities to your existing setup can instantly turn boring configuration into live security holes.