Security researchers found that Google API keys may keep working for up to 23 minutes after a user deletes them, leaving developers and organizations exposed during what they believe is a safe shutdown period. Aikido says revocation propagates unevenly across Google's infrastructure, allowing repeated authenticated requests to still succeed against some backend servers; if Gemini is enabled, attackers could access uploaded files and cached conversation context, and abuse automatic billing tier increases to run up large charges.
Why it matters: Anyone using Google APIs, especially Gemini, could still be exposed after deleting a leaked key. Treat key deletion alone as insufficient: rotate credentials quickly, restrict key permissions, watch for ongoing usage and billing spikes, and disable affected projects or services if abuse is underway.
2026.05.21
100% relevant
This article establishes a distinct security story about delayed revocation of Google API keys and its concrete impact on unauthorized access and financial abuse, rather than updating an existing tracked event.
← Back to all stories