A developer reported a €54,000 Google Gemini billing spike in 13 hours after an attacker exploited an unrestricted Firebase API key, according to a post on Google’s AI forum on April 15, 2026. The incident exposes a silent security crisis: when Google launched Gemini, enabling the API on any project silently granted all existing keys access to expensive AI endpoints—without warnings or consent. For a decade, Google told developers Firebase and Maps keys “are not secrets” and belong in client-side code. When Gemini arrived, those same public keys became credentials for an API that can rack up $41,000 per day with no spending cap.
Google Silently Turned Public Keys Into Secrets
When Gemini is enabled on a Google Cloud project, every existing API key automatically gains access to Gemini endpoints—including keys created years ago for Maps or Firebase. Google’s default key scope is “Unrestricted,” meaning enabling one new API silently grants access to all project keys. No warning. No email. No migration prompt.
Security researchers at Truffle Security reported this privilege escalation to Google on November 21, 2025. Google dismissed it as “intended behavior” before reclassifying it as a “Bug” on December 2. The 90-day disclosure window expired February 19, 2026. As of April 2026, no fix exists.
A Hacker News commenter captured the absurdity: “You created a Maps key three years ago…exactly as Google instructed. Last month, a developer enabled Gemini…Your public Maps key is now a Gemini credential.” A key embedded in JavaScript in 2023 under “not a secret” guidance now costs tens of thousands in stolen API usage.
2,863 Verified Exposed Keys, 35,000+ in Mobile Apps
Security researchers identified 2,863 verified vulnerable keys on public websites and 35,000+ hardcoded in Android apps. Truffle Security verified each key by testing against Gemini endpoints. Quokka found 39.5% of 250,000 scanned apps had hardcoded Google keys. These keys grant unauthorized access to Gemini, uploaded files, and can generate $41,000 in charges per day with no spending cap.
Real developers are getting five-figure bills. The €54,000 incident happened overnight in 13 hours. A Mexico startup faced $82,314 over 48 hours in March 2026—a 46,000% increase from their typical $180 monthly spend. The attack is simple:
# 1. Attacker scans public websites for AIza... keys (found in JavaScript)
# 2. Attacker tests key against Gemini endpoint:
curl https://generativelanguage.googleapis.com/v1/models \
-H "x-goog-api-key: AIzaSy[VICTIM_KEY]"
# 3. If key works (no 403 error), attacker has access
# 4. Attacker makes thousands of Gemini API requests
# 5. Victim gets bill days later (4-12 hour billing lag)Any key found in public code can be tested and exploited. This isn’t developer negligence—it’s Google changing the rules after the fact.
Firebase Says “Not a Secret,” Gemini Says “Like a Password”
Google’s documentation contradicts itself. Firebase’s security checklist states “you do not need to treat API keys for Firebase services as secrets.” The Gemini API page advises “Treat your Gemini API key like a password.” As of April 2026, both pages remain unchanged. Developers following Firebase docs are simultaneously violating Gemini docs—without knowing which applies.
Security researchers at Barrack AI titled their analysis: “Google’s Documentation Says API Keys Are Secrets and Also Not Secrets.” When the same key must be “not a secret” (Firebase) and “like a password” (Gemini), how are developers supposed to know they’re vulnerable? Google hasn’t updated either page despite two months of public disclosure.
Budget Alerts Lag 4-12 Hours—Damage Done Before You’re Notified
Google offers budget alerts but no hard spending caps. Billing data lags 4-12 hours behind actual usage. By the time an alert fires, thousands in charges have accumulated. Real-time data exists in Cloud Monitoring, but budget alerts use delayed billing data.
A Hacker News developer explained: “With Google, there is no way to [set hard spending limits]—there are extremely complicated billing alerts, but these are time-delayed e-mails and there is no out of the box way to actually turn off the tap.” The €54,000 incident proves this: budget alerts triggered hours later, but €28,000 had already been spent. The final bill reached €54,000+ due to delayed reporting.
AWS and Azure offer hard limits that kill requests at a threshold. Google’s approach guarantees damage before notification. Billing lag turns API key theft into guaranteed financial damage.
Protect Yourself: Audit Keys and Restrict Scopes Now
Google isn’t notifying affected users—you’re on your own. Run these commands:
- Audit keys:
gcloud alpha services api-keys list - Check Gemini:
gcloud services list --enabled | grep generativelanguage - If both true: Rotate immediately and restrict to specific APIs
Protection steps:
- Never use “Unrestricted” scope (Google’s default)
- Separate GCP projects per service (Firebase separate from Gemini)
- Use Application Default Credentials for server-side, not API keys
- Set up Cloud Monitoring alerts (faster than billing alerts)
This vulnerability is actively exploited. Audit immediately—waiting risks a five-figure bill from an architectural flaw Google hasn’t fixed.
