{"data":{"id":"9fc49823-7745-41e7-ba4b-9aa0981430d3","title":"Google API Keys Weren't Secrets. But then Gemini Changed the Rules.","summary":"Google API keys that were originally created as public identifiers for Google Maps became dangerous security risks when Google enabled the Gemini API on the same projects, because Gemini keys can access private files and make billable requests, yet developers were never notified of this privilege change. Truffle Security discovered nearly 3,000 exposed API keys in web archives that could access Gemini, including some belonging to Google itself, highlighting how a service upgrade unexpectedly transformed harmless public keys into secret credentials.","solution":"Google is working to revoke affected keys. Additionally, Google recommends checking your own API keys to verify none of yours are affected by this issue.","labels":["security"],"sourceUrl":"https://simonwillison.net/2026/Feb/26/google-api-keys/#atom-everything","publishedAt":"2026-02-26T04:28:55.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["data_extraction"],"issueType":"news","affectedPackages":null,"affectedVendors":["Google"],"affectedVendorsRaw":["Google","Gemini","Google Maps","Google API"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}