Threat hunters find Google API keys still usable 23 minutes after deletion

Aikido researchers demonstrate that deleted Google API keys can remain valid for up to ~23 minutes due to propagation delays, enabling attackers to repeatedly send requests to hit servers that have not yet revoked the key; this can result in large unexpected billing charges and potential exfiltration of files and cached Gemini context. The Register corroborates real-world financial abuse cases (including five‑figure bills and refunds), and Google has marked the issue 'Won't Fix (Infeasible)'.