Overview
- TruffleSecurity scanned the November 2025 Common Crawl and identified more than 2,800 live Google API keys exposed in client-side code that could be used with Gemini.
- Google says it now proactively detects and blocks leaked keys attempting to access the Gemini API, will default new AI Studio keys to Gemini-only scope, and classified the issue as a single-service privilege escalation.
- Researchers warn attackers can copy keys from website source code to call Gemini endpoints, potentially accessing data and generating substantial billable usage.
- Exposed keys were linked to major financial institutions, security firms, and recruiting companies, and one was embedded on a Google product page since at least February 2023.
- Developers are urged to audit projects for Gemini enablement, rotate any publicly exposed keys immediately, and use tools such as TruffleHog to detect live leaks.