HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Deleted Google API Keys Remain Active for Up to 23 Minutes, Exposing GCP Services

A new study reveals that Google Cloud API keys continue to work for up to 23 minutes after deletion, allowing attackers to call BigQuery, Gemini, Maps, and other services. This delay expands third‑party risk for any organization relying on Google APIs.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 hackread.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
3 recommended
📰
Source
hackread.com

Deleted Google API Keys Remain Active for Up to 23 Minutes After Deletion, Exposing GCP Services

What Happened — A recent independent study discovered that Google Cloud API keys continue to function for as long as 23 minutes after a user deletes them via the console or API. During this window, threat actors can still invoke services such as BigQuery, Gemini, Maps, and other GCP APIs, potentially harvesting sensitive data or incurring unauthorized charges.

Why It Matters for TPRM

  • The revocation delay creates a predictable window for credential abuse, increasing third‑party risk for any organization that outsources workloads to Google Cloud.
  • Unchecked API usage can lead to data exfiltration, cost inflation, and compliance violations that flow back to the primary vendor relationship.
  • Existing risk assessments that assume immediate key invalidation may underestimate exposure.

Who Is Affected — Cloud‑first enterprises, SaaS providers, data‑analytics firms, and any organization that integrates Google Cloud APIs (e.g., FIN_SERV, TECH_SAAS, RETAIL_ECOM, GOV_PUBLIC).

Recommended Actions

  • Review all active Google API keys and enforce a “rotate‑and‑revoke” policy with minimal exposure time.
  • Implement monitoring for API calls on keys scheduled for deletion and set alerts for any activity within the 30‑minute window.
  • Engage Google Cloud account teams to confirm they are aware of the revocation lag and request any available mitigations (e.g., immediate revocation via support tickets).

Technical Notes — The issue stems from an internal propagation delay in Google’s API‑key revocation workflow, not a disclosed CVE. Attackers can exploit the window via automated scripts that repeatedly attempt calls using the soon‑to‑be‑deleted key. Exposed data includes project metadata, query results, geolocation data, and AI model outputs. Source: HackRead

📰 Original Source
https://hackread.com/deleted-google-api-keys-active-23-minutes/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →