A stolen API key for Google Gemini has left a small startup with a bill of more than $82,000. The incident illustrates how quickly the costs of generative AI can mount up when access keys fall into the wrong hands.
This was reported by The Register. The company’s developer described on Reddit how his startup’s Google Cloud API key was allegedly misused between February 11 and 12. During that period, $82,314 worth of AI requests were made using the key. According to him, most of those costs were incurred through the use of Gemini 3 Pro Image and Gemini 3 Pro Text.
For the company, this represents a huge deviation from its usual consumption. The startup, which consists of three developers in Mexico, normally spends about $180 per month on Google services. The unexpected costs, therefore, represent an increase of about 46,000 percent.
When the team discovered the problem, it removed the API key in question and disabled the Gemini API. Access data was also replaced, and additional security measures were taken. However, according to the developer, contacting Google support did not provide an immediate solution.
In its communication with the company, Google reportedly referred to the principle of shared responsibility. Under this principle, Google secures the cloud infrastructure, while customers remain responsible for protecting API keys and applications. The developer expressed concern about the financial consequences if the full amount is charged.
Thousands of public Google API keys found
Security researchers at Truffle Security have indicated that the problem may be more widespread. They found thousands of Google API keys that are publicly accessible on the internet. In total, they identified 2,863 active keys that can also be used to send requests to the Gemini API.
Many of these keys were originally used to identify projects in services such as Google Maps or Firebase. In some cases, this makes them visible in websites or source code. When Gemini functionality is later added to a project, the same key can also be used for AI requests. This allows unauthorized persons to use AI at the expense of the account associated with the key.
Google says it is aware of the research and is working with the researchers to address the issue. According to the company, measures have now been taken to detect and block leaked keys when they attempt to access the Gemini API.
Meanwhile, Google is further expanding its AI offerings. The company recently introduced Gemini 3.1 Flash-Lite, a model designed for applications with large numbers of requests and lower costs per token. With this, Google wants to offer developers a cheaper alternative for large-scale use of generative AI.
However, the incident shows that lower prices are not the only concern. Without restrictions on API usage or proper key security, misuse of AI services can quickly lead to very high cloud costs.