Is google exposing AI API keys on purpose?

Recently, I've integrated the Gemini AI API into the workflow of a project of mine.

I want to share my experience!

Here are my two cents:

Gemini AI is slow, and the error rate is quite high. I would say, on average, the success API response rate in my case was 94%, so I had to implement a retry mechanism

Is Google exposing AI API keys on purpose?

Somehow, my API Key was exposed and misused by someone else, and I had to pay an extra $12 on top. For me, this is not a huge deal, but the other cases are more terrifying.

The API key was generated and saved to the env file on the server via ssh, so I don't think I made a mistake of sending it somewhere else or exposing it in any way.

And I've found some evidence that this has happened with other users also:

https://www.malwarebytes.com/blog/news/2026/02/public-google-api-keys-can-be-used-to-expose-gemini-ai-data