A three-person development team in Mexico is facing $82,314.44 in unauthorized charges after a stolen Google Cloud API key was used to rack up costs on Gemini services in just 48 hours. The incident, which occurred between February 11 and 12, highlights a critical security flaw where legacy Google API keys intended for services like Google’s AI Maps have quietly gained access to resource-intensive Gemini endpoints.
The $82K Incident
The affected developer, posting to Reddit under the username RatonVaquero, reported that attackers primarily abused Gemini 3 Pro Image and Gemini 3 Pro Text endpoints. This represented a 46,000% increase from the startup’s normal monthly bill of $180.
After deleting the compromised key, disabling the Gemini APIs, rotating credentials, and enabling two-factor authentication, the developer opened a support case with Google. According to the Reddit post, a Google representative cited the company’s shared responsibility model
, indicating the developer is liable for securing their own credentials. Google has not publicly confirmed whether it will waive the charges.
The Root Cause: Silent Privilege Escalation
Research from security firm Truffle Security uncovered the underlying vulnerability. The company reported finding 2,863 publicly exposed and active Google API keys that can now authenticate to Gemini, despite being originally deployed for non-sensitive services like Google Maps.
According to Joe Leon, security researcher at Truffle Security, these keys grant attackers the ability to access uploaded files, cached data, and charge LLM-usage
to the victim’s account. The issue stems from Google Cloud’s decision to make existing API keys automatically authenticate to Gemini once the Generative Language API is enabled on a project, without developer notification.
How the Vulnerability Works
For over a decade, Google advised developers that API keys (identified by the prefix AIza) were safe to embed in client-side code for services like Maps, Firebase, and YouTube. These keys functioned as harmless billing identifiers, not security credentials.
When Gemini was introduced, any API key in a project with the Generative Language API enabled silently gained authentication privileges to Gemini endpoints. Keys that had been publicly exposed for years, originally deployed for non-sensitive purposes, suddenly became powerful credentials for accessing private data and generating costly LLM requests.
Truffle Security’s scan of the November 2025 Common Crawl dataset revealed keys embedded in the source code of major financial institutions, security companies, global recruiting firms, and even Google’s own public-facing websites. One key Truffle tested had been deployed in February 2023, well before the Gemini API existed.
Google’s Response and Remediation
Truffle Security disclosed the vulnerability to Google’s Vulnerability Disclosure Program on November 21, 2025. Google initially classified the behavior as intended
but later reclassified it as a bug after Truffle provided examples from Google’s own infrastructure.
On January 13, 2026, Google classified the issue as Single-Service Privilege Escalation, READ
(Tier 1). As of February 19, 2026, when the 90-day disclosure window closed, Google was still working on a root-cause fix.
Google has implemented several measures:
- Restricted the 2,863 identified exposed keys from accessing the Gemini API
- New API keys created through AI Studio now default to Gemini-only access
- Proactive detection and blocking of leaked keys attempting to access Gemini
- Notifications when leaked keys are detected
In a statement to multiple outlets, Google said: We are aware of this report and have worked with the researchers to address the issue. Protecting our users’ data and infrastructure is our top priority. We have already implemented proactive measures to detect and block leaked API keys that attempt to access the Gemini API.
Broader Exposure
The problem extends beyond websites. Security firm Quokka published a separate report finding over 35,000 unique Google API keys embedded in 250,000 Android apps, all potentially vulnerable to the same privilege escalation.
Additionally, new keys created through the Google Cloud Console default to Unrestricted
access, meaning they’re valid for every enabled API in the project, including Gemini. This makes the escalation a platform-level design flaw rather than isolated developer misconfiguration.
Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates
