New research from Truffle Security has uncovered a significant security vulnerability affecting Google Cloud API keys, potentially exposing sensitive data and leading to unexpected billing charges. These Google Cloud API keys, commonly used for billing purposes, have been found to grant unauthorized access to sensitive Gemini endpoints, allowing attackers to authenticate and retrieve private information, including uploaded files and cached data.
The cybersecurity firm identified nearly 3,000 Google API keys, typically marked with the “AIza” prefix, embedded in client-side code. These keys were originally intended to facilitate Google services, such as embedding maps on websites. However, a new security report reveals that when the Gemini API is enabled on a Google Cloud project, these existing API keys, even those publicly exposed in website JavaScript, can be leveraged to access Gemini endpoints without explicit user consent.
Google Cloud API Keys Compromised, Exposing Gemini Endpoints
This discovery highlights a critical oversight in how Google Cloud API keys are managed and permissioned. Security researcher Joe Leon stated that with a valid key, an attacker can access uploaded files, cached data, and incur LLM usage charges on the victim’s account. “The keys now also authenticate to Gemini even though they were never intended for it,” Leon noted, underscoring the unintended consequences of this security lapse.
The vulnerability arises from the default configuration in Google Cloud, where newly generated API keys can be set to “Unrestricted.” This setting allows the key to be applicable to every API enabled within that project, including the Gemini API. Consequently, thousands of API keys initially deployed as mere billing tokens have effectively become active Gemini credentials accessible on the public internet.
Truffle Security’s analysis revealed 2,863 live keys accessible publicly, with one instance even associated with a Google-owned website. This situation is compounded by a separate report from Quokka, which found over 35,000 unique Google API keys embedded in its scan of 250,000 Android applications. Quokka’s report further emphasizes that the risk extends beyond mere cost abuse, as compromised API keys could interact with AI-enabled endpoints in ways that expand their potential impact.
The mobile security company warned that the evolving integration of AI and cloud services creates a complex risk profile. “Even if no direct customer data is accessible, the combination of inference access, quota consumption, and possible integration with broader Google Cloud resources creates a risk profile that is materially different from the original billing-identifier model developers relied upon,” Quokka stated.
Meanwhile, Google has acknowledged the issue and is actively working to mitigate it. A Google spokesperson confirmed, “We are aware of this report and have worked with the researchers to address the issue. Protecting our users’ data and infrastructure is our top priority.” The company has reportedly implemented proactive measures to detect and block leaked API keys attempting to access the Gemini API.
While it remains unconfirmed whether this vulnerability has been actively exploited in the wild, a recent Reddit post detailed a case where a “stolen” Google Cloud API Key allegedly resulted in over $82,000 in charges within a two-day period in February 2026, a stark contrast to the user’s typical monthly spend of approximately $180. This incident, if verified, serves as a potent illustration of the potential financial ramifications of such compromises.
Recommendations for Users and Developers
Organizations that have configured Google Cloud projects are strongly advised to review their enabled APIs and services. If AI-related APIs, such as Gemini, are enabled and their associated API keys are publicly accessible, users are urged to rotate these keys immediately. Truffle Security suggests prioritizing the oldest keys first, as these are more likely to have been deployed under older guidelines that considered API keys safe for public sharing, and subsequently gained Gemini privileges.
Tim Erlin, security strategist at Wallarm, commented on the dynamic nature of security risks, stating, “This is a great example of how risk is dynamic, and how APIs can be over-permissioned after the fact.” He emphasized the necessity of continuous security testing and vulnerability scanning. “The adoption of AI running on these APIs, and using them, only accelerates the problem. Finding vulnerabilities isn’t really enough for APIs. Organizations have to profile behavior and data access, identifying anomalies and actively blocking malicious activity.”
The ongoing situation underscores the evolving threat landscape in cloud security and the critical need for robust API key management practices. As Google continues to roll out new services and features, maintaining a vigilant security posture and adapting to emerging risks will be paramount for protecting sensitive data and financial resources.