Thousands of Public Google Cloud API Keys Exposed with Gemini Access After API Enablement
Summary
Google Cloud API keys (unique identifiers used for billing and accessing Google services) that were embedded in websites for basic functions like maps were automatically granted access to Gemini (Google's AI model) when users enabled the Gemini API on their projects, without any warning. This allowed attackers who found these exposed keys on the public internet to access private files, cached data, and run expensive AI requests that get billed to the victims, with nearly 3,000 such keys discovered by security researchers.
Solution / Mitigation
Google has implemented proactive measures to detect and block leaked API keys that attempt to access the Gemini API. Additionally, users are advised to: (1) check their Google Cloud projects to verify if AI-related APIs are enabled, (2) if they are enabled and publicly accessible in client-side JavaScript or public repositories, rotate the keys, starting with the oldest keys first, as those are most likely to have been deployed publicly under the old guidance that API keys were safe to share.
Classification
Affected Vendors
Related Issues
Original source: https://thehackernews.com/2026/02/thousands-of-public-google-cloud-api.html
First tracked: February 28, 2026 at 07:00 AM
Classified by LLM (prompt v3) · confidence: 95%