Google API Keys Weren't Secrets. But then Gemini Changed the Rules.
Summary
The article explains how Google API keys, historically treated as non-secret identifiers, can become Gemini credentials when the Generative Language API is enabled, creating retroactive privilege escalation and insecure defaults. It cites 2,863 exposed keys, outlines attacker capabilities, and provides concrete remediation steps plus Google's roadmap for leakage mitigation.