A critical security flaw in Google's API infrastructure exposed thousands of API keys to unauthorized access. Google API keys designed for public use in Google Maps were found to grant access to Gemini AI services when those projects were later enabled for Gemini billing. This created a privilege escalation vulnerability where previously harmless keys could access sensitive AI endpoints.

Truffle Security discovered 2,863 exposed API keys in the November 2025 Common Crawl that could access Gemini models. The flaw stemmed from Google's shared key infrastructure - keys embedded in web pages for Maps suddenly gained dangerous capabilities when Gemini was enabled on the same project. Developers received no warning that their public keys had transformed into secret credentials. The issue included keys belonging to Google itself, with one dating back to February 2023, predating the Gemini API entirely.

Google is revoking affected keys, but developers should audit their API keys immediately. This incident highlights the risks of shared infrastructure across services with different security models. The vulnerability demonstrates how seemingly benign configuration choices can create serious security exposures when underlying service capabilities change without clear communication to users.