A developer is facing a shocking $82,000 in unauthorized charges after their company’s Google Gemini API key was compromised. Within 48 hours, attackers racked up costs primarily on Gemini 3 Pro services, a significant spike from the usual $180 monthly expenditure, representing a 46,000% increase. Despite implementing security measures like deleting the key and disabling APIs, the developer received little support from Google, which cited a shared responsibility model for security. They expressed fears that enforcing the cost would lead to bankruptcy for their startup. Concurrently, Truffle Security discovered 2,863 live Google API keys, vulnerable to misuse, granting unauthorized access to sensitive data. Google acknowledged the findings, stating it had initiated measures to secure exposed keys and is addressing the vulnerabilities. Truffle advocates for using its open-source scanning tool, TruffleHog, to detect leaked API keys, warning of a growing attack surface as AI capabilities integrate with existing platforms.
Source link
