This is interesting but the linked articles is even more interesting.

https://trufflesecurity.com/blog/google-api-keys-werent-secr...

> Even Google themselves had old public API keys, which they thought were non-sensitive, that we could use to access Google’s internal Gemini.

This is just a classic slow clap here for Cloud.