The Register and security researchers at Truffle Security have reported concerns over the alleged abuse of exposed Google Cloud API keys.
The reports suggest some older public-facing API keys, originally used for services like Google Maps, may also have been capable of accessing Gemini AI and Veo video-generation services if those APIs had been enabled within the same Google Cloud project, potentially leading to large unexpected bills for some users.
Google said the issue reflects wider industry problems involving leaked credentials rather than a Google-specific security flaw and said it has introduced stricter API restrictions to reduce the risk.
Businesses should treat API keys like passwords by restricting permissions, avoiding exposed reusable keys, enabling MFA, rotating credentials regularly, and closely monitoring billing alerts and quota changes.