A serious security incident has emerged amid the growing adoption of cloud-based AI services, after a startup suffered massive financial losses due to suspected API key theft. According to reports, misuse of a developer’s Google Gemini API key resulted in unauthorized spending of approximately $82,314 (over ₹68 lakh) within just 48 hours — a cost far exceeding the company’s usual monthly expense of around ₹15,000, pushing the business into financial uncertainty.
Startup Faces Bankruptcy After 48-Hour API Key Theft
The founder of the Mexico-based startup, which operates with three developers, said the API key was compromised between February 11 and 12 by an unknown cybercriminal. Attackers reportedly exploited the Gemini 3 Pro Image and Gemini 3 Pro Text services on a large scale, causing billing costs to surge unexpectedly. The victim developer shared on social media that the incident has left him in a state of shock and severe anxiety.
Following the discovery, the developer immediately deleted the compromised API key, rotated all credentials, and strengthened security measures. Despite these actions, the company reportedly received little assistance from Google’s support system. It is alleged that Google representatives cited the shared responsibility model, stating that platform security is the company’s duty while users must secure their own tools. This situation has raised serious concerns about the survival of the startup.
The victim developer fears that if the company is forced to pay the full amount, the business may go bankrupt. He stated that the company is barely able to maintain operations and is currently relying on the possibility of future successful products. The incident has also raised questions about the billing security framework of AI-based cloud services.
FCRF Launches Flagship Certified Fraud Investigator (CFI) Program
Researchers Uncover 2,800+ Exposed Google API Keys
Cybersecurity researchers have issued warnings after conducting a large-scale study on the issue. Researchers from Truffle Security scanned millions of websites and identified 2,863 active Google API keys that were publicly accessible yet potentially provided access to sensitive systems. Experts warned that attackers could exploit such keys to upload files, access cached data, and generate AI usage charges using seemingly valid credentials.
The report suggested that the root cause of the problem may lie in the structure of Google Cloud API keys, as many keys begin with the string AIza, making them relatively easy to identify. Google documentation previously recommended using API keys as application identifiers rather than traditional password-style security credentials. However, with the integration of the Gemini service, the same keys could potentially be used for unauthorized billing access.
Why Old API Keys Become AI Security Risks
Researchers also claimed that API keys used in older projects may later become security risks when connected to new AI systems. They explained that if a website’s source code contains an old Maps API key and the same project later activates Gemini API access, attackers could scrape the key and misuse it.
Google’s Response and Future AI Security Advice
In response, Google stated that the company is working on security improvements and is implementing measures to detect and block leaked API keys. However, it has not clarified whether the developer affected by unauthorized billing will be required to pay the charges or whether Google will bear the loss.
Experts believe that as AI services become increasingly integrated with traditional digital infrastructure, the threat of cyberattacks will also grow. Companies adopting AI technologies in the future are advised to implement stronger key management, monitoring, and access control systems.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
