If you've built anything with Google Maps, Firebase, or any Google Cloud service that used an API key, open Google Cloud Console and check your key restrictions. Truffle Security found 2,863 live, unrestricted Google API keys sitting in public HTML. If the Generative Language API is enabled on any of those projects, those keys reach Gemini.
An attacker who finds one of those keys can query the AI model running inside that project, access uploaded files and cached data, and drain the key owner's API quota. The affected organizations include major financial institutions, security companies, global recruiting firms, and Google's own public-facing infrastructure.
Why so many keys are public
Google's documentation told developers to put them there.
The Firebase security checklist is unambiguous: "you do not need to treat API keys for Firebase services as secrets, and you can safely embed them in client code." The Firebase API keys documentation makes the same point for Firebase-specific use. That language is still live.
The guidance was accurate when written. Google API keys aren't authentication credentials in the traditional sense — they're project identifiers for billing and API routing. Putting one in a JavaScript file wasn't a mistake. It was the documented approach, and for Maps or Firebase it carried no meaningful risk. Developers who followed those instructions weren't being careless.
What Gemini changed
When Google added Gemini to its API ecosystem, it ran it through the same key infrastructure as Maps and Firebase. An API key created in 2019 for a Google Maps project — sitting in public HTML because the docs said that was fine — now authenticates to the Generative Language API if Gemini has been enabled on that Google Cloud project. No announcement. No migration. No notification to existing key holders that their blast radius had quietly expanded to include an AI model with access to uploaded files and cached data.
Google Cloud API keys are unrestricted by default — capable of hitting every API the project has enabled. That default was reasonable when Maps and Analytics were the only options. It's a different calculation when the same key can reach a generative AI model, and nobody told the people who created those keys five years ago that the calculation had changed.
The research
Joe Leon and Dylan Ayrey at Truffle Security — the team behind TruffleHog — scanned the November 2025 Common Crawl archive, a public snapshot covering 2.29 billion web pages. They found 2,863 live, unrestricted Google API keys. Most were years old. Most were placed in public code by developers doing exactly what the documentation said.
The examples that moved the disclosure forward were keys found in Google's own public-facing websites — created before Gemini existed, following the documentation to the letter, now usable to query Gemini against Google's own project environment.
Disclosure timeline
Truffle Security filed the report in November 2025. Google's initial assessment: low severity, working as intended. The team escalated with the examples from Google's own infrastructure. Google reclassified on January 13, 2026, built an internal pipeline to identify and restrict affected keys, and committed to a root-cause fix before the 90-day window closed.
The window closed February 19, 2026. The fix is still in progress. Google has committed to scoping new AI Studio keys to Gemini only by default and sending proactive notifications when a key turns up in public crawls — improvements that don't reach the 2,863 already sitting in public HTML.
What to do
Open Google Cloud Console → APIs & Services → Credentials. Any key showing "No restrictions" can reach every API enabled on your project.
Then check APIs & Services → Enabled APIs. If the Generative Language API is in that list, every unrestricted key on the project has access to Gemini.
Restrict each key to only the APIs it actually uses. A Maps key has no business touching the Generative Language API — the restriction is a dropdown in the same credentials panel, set it once. If any key has ever appeared in public HTML or a public repository, rotate it. The age of the key doesn't matter. The key that was safe to expose in 2021 is not the same key today.
TruffleHog will scan your codebase for exposed secrets the same way the researchers scanned Common Crawl — essentially Google dorking applied to your own repos, surfacing what's sitting in commit history that shouldn't be. Worth running before assuming you're clean.
The failure here isn't a vulnerable key or a negligent developer. It's a documented design decision — accurate when written — becoming a liability when a new system was layered on top without updating the surface beneath it. Same dynamic that made the Fortinet SSO bypass work: two systems correct on their own terms, a gap in the handoff between them. The developers who put these keys in HTML followed the instructions. What didn't happen was notification when Gemini changed what those instructions meant.
If you want to understand the full scope of what Google's AI products can see across your account — files, cached data, project environments — that's worth reading separately. I covered it here.
