Google API keys, previously considered non-sensitive, can now be used to access sensitive data on the Gemini API, potentially allowing attackers to access private data, run up bills, and exhaust quotas. This is due to a change in how API keys are handled, where existing keys can silently gain access to sensitive Gemini endpoints without warning or confirmation. The issue affects nearly 3,000 Google API keys found on the public internet, including those from major financial institutions and Google itself. Users are advised to audit their API keys and restrict access to sensitive services.