Google's unprotected API keys a security and cost risk due to Gemini AI

Google is working to fix a problem with its API keys after security researchers pointed out possible misuse. This is because the keys for accessing Google's cloud services, such as Maps or Firebase, which are integrated in plain text on many websites, are often also used for Gemini. With these publicly visible API keys, unauthorized people can not only use Google AI and thus incur costs but also access documents and data sets uploaded to Gemini – a data protection and security issue.

The API keys are used to access the Google Cloud Endpoints, which have been generally available since early 2017. This code is embedded in websites to access Google's map service or databases, for example, or to log in users. Such API keys can be viewed in the source code and, according to Google, are not a secret. This was not a issue years ago, but then Google introduced Gemini and with artificial intelligence (AI) also the “Generative Language API” (Gemini API).

Problem: Old API keys for new AI purposes

The Gemini API allows projects to use Google AI, for example Gemini in Python programs. However, Google also allows the use of existing API keys, which may have been previously integrated into websites. According to the security researchers at Truffle Security, these API keys are activated for Gemini without warning or additional confirmation or notification by email. Furthermore, even when generating a new API key, Google Cloud defaults to an insecure setting, as this key can be used for all APIs, including Gemini.

Outsiders can gain access to the API keys by simply reading the source code of websites. This allows private data that was previously used for Gemini to be viewed, as well as using the Google AI in the cloud itself, which can incur additional costs depending on the API access and the booked AI model. Unauthorized people could completely exhaust the quota booked for Gemini, so that no legitimate API access is possible anymore.

Cost explosion due to API key misuse

A developer of a small Mexican startup is already reporting such a case on Reddit. The monthly bill for the Google Cloud API key is usually 180 US dollars. However, in mid-February, the key was massively used by unauthorized people for image generation and text creation by Gemini 3 Pro, causing the bill to jump to $82,314.44. This threatens the three-person startup with bankruptcy if Google insists on this bill.

This is unlikely to be an isolated case, as security researchers have discovered 2863 publicly visible API keys that could be misused for unauthorized Gemini access. This affects not only hobby projects, but also financial institutions, security companies, recruitment agencies, and even Google itself. This also convinced Google in December 2025 to address this issue. In early February, Google stated that it was still working on fixing the cause. However, in the Gemini API documentation, the company already provides some “tips on unexpected costs due to security vulnerabilities” and “security measures for leaked keys”.

Users of API keys should check in the Google Cloud Platform (GCP) console whether the Gemini API is activated. If this is the case, the use of the API keys should be carefully checked. Publicly visible API keys should be exchanged immediately.

(fds)