Deleted Google API Keys May Keep Working

Brett Tabkeon

Security researchers say some Google Cloud API keys can keep working for several minutes after users delete them, creating a risky gap during incident response.

Dark Reading reports that Joe Leon, a researcher at Aikido Security, tested Google Cloud Platform API key revocation and found that deleted keys could still authenticate for a median of about 16 minutes. In the longest test, a deleted key kept working for up to 23 minutes.

That matters because security teams often delete exposed keys with the expectation that access stops immediately! If an attacker already has the key, those extra minutes can still be used to send authenticated requests. Aikido warned that the risk can include access to uploaded files or cached conversations in projects where Gemini is enabled.

Given that the recent Google Account Takeovers (GTO’s) have happened in less than 30seconds, 16 minutes is a lifetime in hacker’ville.

The research also found inconsistent behavior by region and request path, which makes the problem harder for incident response teams. One deleted key may stop working quickly. Another may continue long enough to matter.

Aikido recommended treating Google API key deletion as a 30-minute risk window, not an instant cutoff. Teams should monitor API usage after deletion, rotate exposed credentials, and review activity by credential in the Google Cloud console.

Google reportedly closed the issue as “won’t fix,” according to Aikido’s report cited by Dark Reading. The practical lesson is simple: when a cloud key leaks, deletion is only one step. Monitoring after deletion is part of the cleanup.

Sources: