It’s 11:47 PM on a Friday. You get an email from Google Cloud: “Unusual billing activity detected.” You open the dashboard — and you see thousands of API requests streaming in real time. Your Google API key has been stolen. Every second costs you money. Here’s exactly what to do in the next few minutes.
Phase 1: Emergency — 5 Immediate Actions (First 10 Minutes)
Action 1 — Revoke the Compromised Key Immediately
This is your absolute priority. Go to Google Cloud Console → APIs & Services → Credentials. Find the compromised key and click the trash icon to delete it, or click “Regenerate key” if you want to replace it immediately.
Via gcloud CLI:
# List all your API keys
gcloud services api-keys list --project=YOUR_PROJECT_ID
# Revoke a specific key (replace KEY_ID)
gcloud services api-keys delete KEY_ID --project=YOUR_PROJECT_IDAction 2 — Set an Emergency Budget Alert
Even after revoking the key, immediately create a budget alert at your current spend + 10% to be notified if other resources start consuming abnormally. Go to Billing → Budgets & Alerts → Create Budget.
Action 3 — Audit Usage Logs
You need to understand the scope of the compromise. In Cloud Console → Logging → Logs Explorer:
# In the Logs Explorer query field:
resource.type="global"
protoPayload.methodName="GenerateIdToken"
severity>=ERROR
# For Maps API calls specifically:
resource.type="consumed_api"
resource.labels.service="maps-backend.googleapis.com"Identify source IPs, call volumes, and APIs used. This information is crucial for Google Support.
Action 4 — Contact Google Cloud Billing Support
Many developers forget this step in the panic, but it’s often where the final bill gets settled. Google has an unofficial policy of partial or full refunds for stolen key incidents, especially if:
- You react quickly (under 24-48 hours)
- You have evidence the calls didn’t come from you
- It’s your first occurrence
Go to Cloud Console → Support → Cases → Create Case. Select “Billing” and describe the incident precisely with logs. Be factual, not dramatic.
Action 5 — Scan All Your Repos and Services
The stolen key came from somewhere. While support handles your ticket, audit everything:
# Search for Google API keys in your codebase
# (pattern: AIza followed by 35 characters)
grep -r "AIza[0-9A-Za-z\-_]{35}" . --include="*.js" --include="*.py" --include="*.env" --include="*.json"
# Search in Git history
git log --all --full-history -- "**/*.env"
git grep "AIza" $(git rev-list --all)Phase 2: Analysis — How Did This Happen?
The most common vectors for Google API key theft, in order of frequency:
- Key exposed in front-end: visible in HTML or client-side JavaScript
- .env file committed to Git: potentially indexed by GitHub or automated scanners
- Public repo by mistake: a private repo made public, even briefly
- CI/CD environment variable: exposed in public build logs
- Secret manager not used: keys stored in plain text configs
Tools like GitGuardian scan GitHub continuously and detect exposed keys within seconds of a push. The bots that exploit these keys are automated and often act within minutes of detection.
Phase 3: Prevention — How to Never Let This Happen Again
Restrict All Your API Keys (Do This Right Now)
Every Google Cloud API key can be restricted by application (HTTP referrer, Android package, iOS bundle) and by API (only Maps, only Places, etc.). An unrestricted key can call all APIs in your project.
In Credentials → Edit API Key:
- Application restrictions: HTTP referrers (for web keys), IP addresses (for server keys)
- API restrictions: select only the APIs this key needs to call
Use Google Secret Manager
# Create a secret
gcloud secrets create my-api-key \
--data-file=- <<< "YOUR_API_KEY" \
--project=YOUR_PROJECT_ID
# Access the secret in Python
from google.cloud import secretmanager
client = secretmanager.SecretManagerServiceClient()
name = "projects/YOUR_PROJECT_ID/secrets/my-api-key/versions/latest"
response = client.access_secret_version(request={"name": name})
api_key = response.payload.data.decode("UTF-8")Scan for Secrets in CI/CD with truffleHog
# Install truffleHog
pip install trufflehog
# Scan your repo
trufflehog git file://. --only-verified
# Add a pre-commit hook
# .git/hooks/pre-commit
#!/bin/bash
if git diff --cached | grep -E "AIza[0-9A-Za-z\-_]{35}"; then
echo "ERROR: Google API key detected in commit!"
exit 1
fiComplete Post-Incident Checklist
- ☑ Compromised key revoked immediately
- ☑ Emergency budget alert created
- ☑ Usage logs analyzed (IPs, volumes, APIs)
- ☑ Google Billing support ticket opened with evidence
- ☑ All repos scanned for other exposed keys
- ☑ All existing keys restricted (application + API)
- ☑ Keys migrated to Secret Manager
- ☑ Pre-commit detection hooks installed
- ☑ Automatic kill switch configured (see our dedicated guide)
- ☑ Incident procedure documented for next time
🔐 Not sure your API keys and cloud configuration are secure?
Klack offers a complete security audit: exposed key detection, billing limit setup, automatic alerts, and kill switch implementation. Response within 24-48 hours.
