February 25, 2026
When “public” turns personal
Google API keys weren't secrets, but then Gemini changed the rules
The “not-secret” Google codes suddenly unlock your AI — devs furious and laughing
TLDR: Google’s AI Gemini started accepting old Google API keys that were never meant to be secret, potentially exposing private data and billing. Commenters are split between dark humor and outrage, demanding Google block pre-Gemini keys and separate public vs. secret keys to prevent surprise access.
Google spent a decade saying those “AIza…” API keys were fine to paste into public websites — they were like license plates for billing, not passwords. Then Gemini, Google’s new AI, arrived and quietly started accepting the same keys for private access. Cue chaos. The report claims nearly 3,000 keys found in public sites now unlock sensitive Gemini data — and yes, even some Google-owned keys — turning harmless map codes into surprise skeleton keys. The community lit up like a Christmas tree. One camp cackled at the absurdity: as selridge joked, it’s a “villain-less” saga of big-company unwieldiness. Another camp went full side-eye, with bpodgursky quipping it’s “AI writing posts about AI breaking security” — meme-ification complete. The angriest voices? Folks like warmedcookie and devsda who say Google moved the goalposts: public keys shouldn’t suddenly become secrets, and calling them “leaked” is gaslighting if Google told everyone they weren’t secrets. The practical crowd wants fixes: block all pre-Gemini keys from Gemini, split “publishable” vs “secret” keys, and stop the default “unrestricted” setting. The vibe is equal parts sitcom and scandal: keys that once opened Maps are now opening your files. For context, Google literally told devs keys weren’t secrets in Firebase docs and had them paste keys into Maps HTML.
Key Points
- •Google used a single API key format (AIza...) for both public identification and sensitive authentication across Google Cloud.
- •Enabling the Gemini (Generative Language) API causes existing public API keys to gain access to sensitive Gemini endpoints without warning.
- •New Google Cloud API keys default to “Unrestricted,” making them valid for all enabled APIs in the project, including Gemini.
- •A scan of millions of websites found nearly 3,000 publicly embedded Google API keys that now authenticate to Gemini, enabling access to private data and billing.
- •The issue is framed under CWE-1188 (Insecure Default) and CWE-269 (Incorrect Privilege Assignment), highlighting lack of key separation and unsafe defaults.