Hidden AI Access: Thousands of Exposed Google Cloud API Keys Quietly Gained Gemini Privileges

By Ash K
Hidden AI Access: Thousands of Exposed Google Cloud API Keys Quietly Gained Gemini Privileges

Thousands of publicly exposed Google Cloud API keys may have silently gained access to Gemini AI services after organizations enabled the Generative Language API, according to new security research. What initially appeared to be low-risk, client-side identifiers effectively transformed into functional AI credentials capable of triggering billable model requests and accessing project resources.

The discovery highlights a subtle but significant shift in cloud security risk. In many cases, API keys embedded in mobile apps, JavaScript code, and public repositories were never intended to authenticate against generative AI endpoints. Yet once AI services were activated at the project level, those same keys inherited expanded capabilities without direct reconfiguration.

From Billing Identifier to AI Credential

Google Cloud API keys, commonly recognizable by the “AIza” prefix, are widely used across applications as billing identifiers and lightweight authentication tokens. Historically, organizations relied on referrer or IP restrictions to limit misuse.

However, researchers found that when the Generative Language API was enabled, existing API keys could authenticate to Gemini endpoints. This included the ability to submit prompts, access specific file-related endpoints such as /files and /cachedContents, and consume AI quotas under the associated cloud project.

In projects where API restrictions were loosely configured or absent, publicly exposed keys effectively became open doors to AI infrastructure.

The Scope of Exposure

Security firm Truffle Security identified 2,863 live public API keys with Gemini access. Meanwhile, Quokka’s research into Android applications uncovered more than 35,000 exposed keys embedded in mobile app builds.

Not every exposed key was immediately exploitable, as some projects enforced additional controls. Still, the scale of the exposure underscores how frequently cloud credentials are left accessible in client-side environments.

Researchers demonstrated that malicious actors could leverage these keys to generate AI requests at scale, potentially leading to unexpected billing spikes or quota exhaustion for affected organizations.

Quota Abuse and Financial Impact

Unlike traditional breaches focused on data theft, this vulnerability introduces the risk of compute abuse. Large language models are resource-intensive, and repeated inference calls can quickly accumulate significant charges.

Attackers do not need privileged access to exfiltrate sensitive data to cause harm. Simply consuming AI resources under another organization’s billing account can result in substantial financial losses and operational disruption.

In addition to quota abuse, misconfigured keys may allow limited access to stored files or cached outputs, further widening the potential impact.

AI Enablement Expands the Attack Surface

The core issue lies in how AI services integrate into existing cloud ecosystems. When new APIs are activated, legacy credentials may inherit capabilities that were never fully reassessed. In fast-moving development environments, this type of privilege expansion can go unnoticed.

As organizations accelerate AI adoption, the traditional boundaries between low-risk public keys and sensitive service credentials are blurring. A key that once powered a simple analytics call may now authorize generative AI workloads.

The shift underscores a broader reality: AI integration is not just a feature upgrade. It fundamentally alters authentication and risk models across cloud platforms.

Mitigation and Best Practices

Following the disclosure, Google implemented additional mechanisms to detect and block leaked keys. The company also reiterated recommendations for strict API key restrictions, regular rotation, and active monitoring.

Security teams are advised to audit projects where AI APIs have been enabled, review service-level restrictions, enforce IP or referrer constraints, and rotate older keys beginning with the earliest issued. Continuous secrets scanning across repositories and mobile builds should be considered a baseline defense rather than an optional control.

A Quiet Warning for the AI Era

The exposure of thousands of API keys with unintended Gemini access serves as a cautionary tale for cloud adopters. As AI capabilities expand, so too does the blast radius of seemingly minor configuration oversights.

In the rush to deploy generative AI, organizations may be underestimating how small credential leaks can evolve into meaningful security and financial risks. The lesson is clear: enabling AI is not just about innovation. It is about rethinking identity, access control, and secret hygiene across the entire cloud stack.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.