Executive Summary
In February 2026, security researchers discovered that thousands of Google Cloud API keys, previously used as non-sensitive billing identifiers, were publicly exposed and could be exploited to access sensitive Gemini AI endpoints. This exposure occurred when the Gemini API was enabled on existing projects, inadvertently granting these keys authentication capabilities without notifying developers. Attackers could leverage these keys to access private data and incur significant charges on victims' accounts.
This incident underscores the evolving risks associated with API key management and the importance of regularly auditing and securing API credentials. Organizations must be vigilant in monitoring their API configurations to prevent unauthorized access and potential financial losses.
Why This Matters Now
The incident highlights the critical need for organizations to audit and secure their API keys, especially as API functionalities evolve. Failure to do so can lead to unauthorized access, data breaches, and significant financial repercussions.
Attack Path Analysis
Attackers exploited publicly exposed Google Cloud API keys to access sensitive Gemini AI endpoints, leading to unauthorized data access and financial impact. The attack unfolded across six stages: initial compromise through API key exposure, privilege escalation via unintended Gemini API access, lateral movement within cloud services, command and control through API interactions, exfiltration of sensitive data, and financial impact due to unauthorized API usage.
Kill Chain Progression
Initial Compromise
Description
Attackers identified and extracted publicly exposed Google Cloud API keys embedded in client-side code.
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Steal Application Access Token
Cloud Instance Metadata API
Cloud Infrastructure Discovery
Remote Services: Cloud Services
Additional Cloud Credentials
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Restrict access to system components and cardholder data
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: Identity Pillar
NIS2 Directive – Security Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Cloud misconfiguration exposes thousands of Google API keys in client-side code, enabling unauthorized Gemini access, quota theft, and potential data exfiltration from development projects.
Information Technology/IT
IT organizations face significant risk from exposed Google Cloud API keys granting unexpected Gemini access, threatening data security, compliance frameworks, and operational cost control.
Financial Services
Financial institutions using Google Cloud services risk unauthorized AI model access through exposed API keys, potentially compromising sensitive data and incurring substantial unexpected charges.
Health Care / Life Sciences
Healthcare organizations face HIPAA compliance violations and patient data exposure risks through misconfigured Google API keys providing unintended access to Gemini AI endpoints.
Sources
- Thousands of Public Google Cloud API Keys Exposed with Gemini Access After API Enablementhttps://thehackernews.com/2026/02/thousands-of-public-google-cloud-api.htmlVerified
- Google API Keys Weren't Secrets. But then Gemini Changed the Rules.https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rulesVerified
- Google API Keys Now A Security Risk Thanks to Geminihttps://www.quokka.io/blog/google-gemini-api-key-mobile-app-security-riskVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit exposed API keys, thereby reducing unauthorized access and potential data exfiltration.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit exposed API keys would likely be constrained, reducing unauthorized access to sensitive services.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely be limited, reducing unauthorized interactions with sensitive services.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the cloud environment would likely be constrained, reducing unauthorized access to additional services.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control over services would likely be limited, reducing unauthorized operations.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing unauthorized data transfers.
The financial impact and data exposure resulting from unauthorized API usage would likely be reduced, limiting the overall damage.
Impact at a Glance
Affected Business Functions
- Cloud Service Billing
- Data Storage
- AI Model Access
Estimated downtime: 2 days
Estimated loss: $82,314
Potential access to uploaded files and cached data via Gemini API endpoints.
Recommended Actions
Key Takeaways & Next Steps
- • Audit all Google Cloud projects to identify and restrict publicly exposed API keys.
- • Implement Zero Trust Segmentation to enforce least privilege access controls on API keys.
- • Apply Egress Security & Policy Enforcement to monitor and control outbound API traffic.
- • Utilize Multicloud Visibility & Control to detect and respond to anomalous API activities.
- • Regularly rotate API keys and apply strict access restrictions to minimize exposure.
