HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Google API Keys Remain Active Up to 23 Minutes After Deletion, Exposing Cloud Services

Aikido Security discovered that Google Cloud API keys can continue to authenticate for up to 23 minutes after deletion, creating a window for abuse. The latency affects all key types and poses a risk to any third‑party relying on Google APIs. TPRM teams should treat key revocation as a time‑bound operation and monitor usage closely.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 helpnetsecurity.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
helpnetsecurity.com

Google API Keys Remain Active Up to 23 Minutes After Deletion, Exposing Cloud Services

What Happened — Researchers at Aikido Security found that Google Cloud API keys continue to authenticate for up to 23 minutes after a user deletes them. The delay is a by‑product of Google’s eventually‑consistent credential propagation and affects all key types, including those for Maps, BigQuery, and Gemini AI.

Why It Matters for TPRM

  • Stolen or leaked API keys can be abused during the revocation window to generate unauthorized charges or extract data.
  • Third‑party applications that depend on Google APIs inherit this latency, expanding the attack surface of your supply chain.
  • No built‑in verification mechanism means vendors cannot guarantee immediate key invalidation, complicating incident response and audit trails.

Who Is Affected — Cloud‑based SaaS providers, data‑analytics platforms, mapping services, AI‑driven applications, and any organization that integrates Google Cloud APIs.

Recommended Actions

  • Treat API‑key deletion as a 30‑minute operation; monitor usage continuously after revocation.
  • Rotate keys proactively and implement usage‑based alerts in the GCP console.
  • Where feasible, replace long‑lived API keys with short‑lived service‑account tokens or OAuth flows that support immediate revocation.
  • Update third‑party risk questionnaires to capture this credential‑propagation latency.

Technical Notes — The issue originates from Google Cloud’s eventually consistent credential store; deletion propagates across regions over minutes. No CVE has been assigned. Affected data includes request payloads, uploaded files, and cached Gemini conversation data. Source: Help Net Security

📰 Original Source
https://www.helpnetsecurity.com/2026/05/22/deleted-google-api-keys-risk/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

A privacy incident is a question about your consent record.

CookiePLUS and Verisq AI Trust Operations keep consent, DSAR, and data-handling evidence continuously ready — so a data-exposure event finds you prepared, not scrambling.

See how Verisq AI Trust Operations handles privacy →