121/69 Monday, March 2, 2026
Security firm Truffle Security has released new research revealing that nearly 2,863 Google Cloud API keys were embedded in client-side website code and exposed to the public internet. Some of the affected websites were reportedly associated with Google itself. Although these API keys were originally intended only to identify projects for billing purposes, they automatically gained access to the Gemini API when the Generative Language API was enabled within those projects-without any explicit warning to users. Researcher Joe Leon stated, “With just one valid key, an attacker could access uploaded files, cached data, and even shift LLM usage costs to the victim’s account.”
The concern deepened after Quokka published additional findings identifying more than 35,000 exposed Google API keys across over 250,000 Android applications. Meanwhile, a Reddit user reported that a stolen Google Cloud API key led to unexpected charges of $82,314 within just two days (February 11–12, 2026)-compared to their normal monthly usage of around $180. Part of the issue stems from Google Cloud’s default configuration, where newly created API keys are set to “Unrestricted,” allowing them to access all enabled APIs within a project, including Gemini.
Google has acknowledged the issue and stated that it has implemented proactive measures to detect and block leaked API keys attempting to access Gemini. Organizations using Google Cloud are strongly advised to review which AI-related APIs are enabled in their projects and immediately rotate any API keys that may have been exposed-whether through JavaScript, public repositories, or other means. Older keys are considered particularly high risk and should be replaced first. Security experts emphasize that “security risks are constantly evolving; testing and assessment must be ongoing, not a one-time effort.”
Source https://thehackernews.com/2026/02/thousands-of-public-google-cloud-api.html