Deleted Google API Keys Remain Active up to 23 Minutes, Study Finds

Aikido Security found that deleted Google Cloud API keys continue to authenticate for an average of 16 minutes (maximum ~23) because of eventual consistency in Google’s global auth infrastructure, allowing an adversary holding a leaked key to access enabled APIs (e.g., Gemini, BigQuery, Maps) and exfiltrate data; Google declined to remediate and researchers advise treating deletion as a 30-minute process and monitoring authentications during that window.