Overview
- Truffle Security identified 2,863 Google Cloud API keys in public code that can authorize Gemini requests, spanning sectors from finance to security firms and reportedly including keys tied to Google projects.
- Keys historically embedded in website source for services like Maps can be reused to invoke Gemini without extra confirmation, enabling data access to prior Gemini uploads and rapid cost accrual.
- A developer reported a February bill jumping from about $180 to $82,314.44 after unauthorized Gemini 3 Pro usage, and said Google is insisting on payment.
- Google acknowledges the issue and provides mitigation guidance to check Gemini activation in the GCP console, audit usage, rotate exposed keys, and restrict scopes, while it works on a broader remedy.
- Separately, Europol seized the LeakBase data-leak forum with arrests across 14 countries and took down Tycoon2FA by shutting 330 domains used for large-scale phishing that bypassed two-factor authentication.