[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fcKYKza0XFN9q6G7prZ5pwbipqFCRZs-ewNL2uoAa3p0":3},{"article":4,"iocs":53},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"cd92bee5-6752-4fad-8cf8-bc25ee36a6fb","Deleted Google API Keys Remain Active up to 23 Minutes, Study Finds","deleted-google-api-keys-remain-active-up-to-23-minutes-study-finds-3f9c32","Deleted Google API Keys remain active for up to 23 minutes after deletion, exposing GCP, Gemini, BigQuery, and Maps data to attackers.","Aikido Security's research reveals that deleted Google API keys continue to authenticate successfully for an average of 16 minutes, with delays reaching up to 23 minutes. The delay stems from eventual consistency in Google's distributed authentication infrastructure, allowing attackers with leaked keys to access GCP, Gemini, BigQuery, and Maps APIs during the propagation window. Google closed the security report as \"won't fix,\" treating the delay as a known system property rather than a vulnerability.","Deleted Google API keys remain active for up to 23 minutes due to eventual consistency delays.","SecurityDeleted Google API Keys Remain Active up to 23 Minutes, Study Finds Deleted Google API Keys remain active for up to 23 minutes after deletion, exposing GCP, Gemini, BigQuery, and Maps data to attackers. byDeeba AhmedMay 21, 20262 minute read A new study conducted by the cybersecurity firm Aikido Security reveals that deleted Google API keys stay active and can continue authenticating successfully for up to 23 minutes after they are removed. The results were obtained after running 10 controlled trials over two days to measure the delay. Key Findings An API key is a string of data used to authenticate requests between software applications. According to researchers, the Google Cloud Platform (GCP) console shows the key as deleted immediately. However, tests showed that the keys actually take an average of 16 minutes to stop working completely, with the longest delay lasting nearly 23 minutes. During this timeframe, threat actors holding a leaked key retain full access to any enabled APIs on the project. This allows them to exfiltrate cached conversations and dump files uploaded to Gemini. They can also access BigQuery data and Maps APIs. Why Does The Issue Occur? In the blog post, which was published today and shared exclusively with Hackread.com, researchers explained that this issue happens because of eventual consistency in Google’s authentication infrastructure. In this distributed systems model, updates propagate gradually across global servers rather than all at once. This means when you delete a key, the message does not reach every Google server around the world immediately, giving hackers a temporary gap to use the key on servers that haven’t updated yet. This identical class of infrastructure issue was demonstrated on AWS last year by researcher Eduard Agavriloae, though the AWS revocation window was only 4 seconds. Tracking and Infrastructure Differences The attack method relies on the hacker sending continuous authenticated requests to rotate through Google’s global authentication servers before they sync. Testing across different GCP regions revealed diverse regional variations. In the first minute after deletion, virtual machines in the asia-southeast1 region saw a median success rate of 22%, while us-east1 and europe-west1 both allowed 49% of requests to succeed. For incident response teams, tracking the timeline of events during an attack is complicated by the GCP “Traffic by Credential” graph. When a key gets deleted, any further authentication attempts by an attacker are bundled into a generic category labelled apikey:UNKNOWN. This makes it difficult to pinpoint which specific credential an attacker is trying to misuse. Watch the demo Researchers noted that Google has already solved faster propagation for other credential types. For example, Google Service Account keys revoke in roughly 5 seconds, while newer Gemini-format keys (which use an AQ. prefix) take about 1 minute. Aikido Security reported these findings to Google, but the company closed the report as “won’t fix,” stating that propagation delay is a known property of the system and not a security flaw. Consequently, researchers advise treating Google API key deletion as a 30-minute operation and monitoring the GCP console for valid authentications within that window. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Aikido SecurityAPICloud securityCybersecurityGoogle API KeyGoogle CloudVulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Business Security 5 Top Cybersecurity Threats to Businesses Cybersecurity threats are unpredictable but taking a closer look at them and implementing proper security measures seems like a wise decision. byWaqas Technology Privacy Security Viber to Put Full End-to-End Encryption on Their Messaging App Viber to put encryption to their messaging app People are definitely worried about the threat of hacking and… byWaqas Read More Cyber Attacks Security DDoS Attacks Hit France Over Telegram’s Pavel Durov Arrest Hacktivists unite for the #FreeDurov campaign to launch a massive cyber campaign against France in response to Telegram… byWaqas Security Domestic violence assistance app breached placing victims at risk The app provides news stories sourced from Yahoo and is focused on... bySudais Asif","https:\u002F\u002Fhackread.com\u002Fdeleted-google-api-keys-active-23-minutes\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fdeleted-google-api-keys-active-23-minutes.png","2026-05-21T16:03:12+00:00","2026-05-21T18:00:27.692374+00:00",8,[18,21,24,26,28,30],{"name":19,"type":20},"Google","vendor",{"name":22,"type":23},"Google Cloud Platform (GCP)","product",{"name":25,"type":23},"Gemini",{"name":27,"type":23},"BigQuery",{"name":29,"type":23},"Google Maps API",{"name":31,"type":20},"Aikido Security","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":32,"icon":34,"name":35,"slug":36},null,"Vulnerabilities","vulnerabilities",[38,43,48],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":44},{"id":45,"icon":34,"name":46,"slug":47},"c70f3a41-2f0c-4608-870d-b8cbcd8be076","Cloud Security","cloud-security",{"category":49},{"id":50,"icon":34,"name":51,"slug":52},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[]]