Google API keys now authenticate to Gemini, exposing nearly 3,000 public keys as security risks
Security researchers at Truffle Security found that Google's single API key format (AIza...) now authenticates to Gemini, despite Google telling developers for over a decade that API keys aren't secrets. Scanning millions of websites revealed nearly 3,000 Google API keys, originally deployed for public services like Maps, that now also grant access to Gemini.
With a valid key, attackers can access uploaded files, cached data, and charge LLM usage to the victim's account. Even Google's own old public API keys were vulnerable. Legacy keys now pose direct security risks to every organization that deployed them.
View full digest for February 26, 2026