Google API keys weren't secrets, but then Gemini changed the rules
trufflesecurity.com
February 25, 2026
18 min read
🔥🔥🔥🔥🔥
78/100
Summary
Google API keys, previously considered non-sensitive, can now be used by Gemini to access private user data. A scan of millions of websites revealed nearly 3,000 Google API keys that were originally deployed for public services.
Key Takeaways
- Google API keys, previously considered safe for public use, can now access sensitive Gemini endpoints, allowing attackers to exploit them for unauthorized access to private data.
- Nearly 3,000 Google API keys, originally deployed for public services, were found to authenticate to Gemini without any notification to developers.
- The default setting for new API keys in Google Cloud is "Unrestricted," granting immediate access to all enabled APIs, including sensitive ones like Gemini.
- Google retroactively expanded the privileges of existing API keys without warning, leading to potential security vulnerabilities for developers who followed previous guidelines.
Community Sentiment
Concerns
- Google's failure to standardize tests or specifications for API key security highlights a significant oversight, raising concerns about their commitment to user safety.
- The retroactive privilege expansion of API keys without user notification poses serious risks, allowing unauthorized access to sensitive data and potentially leading to unexpected costs.
- Allowing older, public keys to access the Gemini API without adequate safeguards demonstrates a lack of foresight in API security management, which could undermine trust in their services.
