Previously harmless Google API keys now expose Gemini AI data
Summary
Google API keys (credentials that allow developers to access Google services) that were previously safe to expose online became dangerous when Google introduced its Gemini AI assistant, because these keys could now be used to authenticate to Gemini and access private data. Researchers found nearly 3,000 exposed API keys on public websites, and attackers could use them to make expensive API calls and drain victim accounts by thousands of dollars per day.
Solution / Mitigation
Google has implemented the following measures: (1) new AI Studio keys will default to Gemini-only scope, (2) leaked API keys will be blocked from accessing Gemini, and (3) proactive notifications will be sent when leaks are detected. Additionally, developers should check whether Generative Language API is enabled on their projects, audit all API keys to find publicly exposed ones, and rotate them immediately. The source also recommends using TruffleHog (an open-source tool that detects live, exposed keys in code and repositories) to scan for exposed keys.
Classification
Affected Vendors
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint
Original source: https://www.bleepingcomputer.com/news/security/previously-harmless-google-api-keys-now-expose-gemini-ai-data/
First tracked: February 26, 2026 at 07:00 PM
Classified by LLM (prompt v3) · confidence: 95%