CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 22, 2026

Google API Keys Remain Active After Deletion

Dark Reading Archived May 22, 2026 ✓ Full text saved

A security researcher discovered the API keys can still be used for 23 minutes after deletion, even though the cloud provider claims deletion is immediate.

Full text archived locally
✦ AI Summary · Claude Sonnet


    IDENTITY & ACCESS MANAGEMENT SECURITY CYBER RISK СLOUD SECURITY THREAT INTELLIGENCE NEWS Google API Keys Remain Active After Deletion A security researcher discovered the API keys can still be used for 23 minutes after deletion, even though the cloud provider claims deletion is immediate. Rob Wright,Senior News Director,Dark Reading May 21, 2026 4 Min Read SOURCE: SANDWISH VIA ALAMY STOCK PHOTO Google API keys aren't completely inactive after users delete them, giving attackers a small but significant window to continue abusing them. Joe Leon, researcher at Belgian startup Aikido Security, recently analyzed the revocation window — the time between a key's deletion and its last successful authentication — for the cloud giant's API keys. In a blog post published today, Leon said Google Cloud Platform (GCP) customers expect API access to end immediately after the key is deleted, but this is not the case. In a series of tests, Leon found that the median revocation window was around 16 minutes, while the longest window weas up to 23 minutes, "an incredibly long time" for API keys to continue authenticating successfully, he said.  And these windows have serious repercussions for organizations. "An attacker holding your deleted key can keep sending requests until one reaches a server that has not caught up. If Gemini is enabled on the project, they can dump files you have uploaded and exfiltrate cached conversations," Leon said. "The GCP console will not show the key, and it will not tell you the key is still working. You are trusting Google's infrastructure to eventually catch up." Related:AI Agents Are Shifting Identity Security Budget Dynamics Google API Key Revocation Windows Vary Leon tells Dark Reading he was inspired to examine the revocation windows for GCP after Eduard Agavriloae, co-founder of Offensai, published research late last year on revocation delays in AWS credentials. But as Leon noted in his blog post, those delays were just four seconds, and AWS responded to the issue. "Four seconds was enough to matter on AWS," he wrote. The revocation windows for Google's API keys were, by comparison, exponentially longer. Aikido's research team ran 10 tests over two days where they created virtual machines (VMs) in different GCP regions, deleted the API keys, and sent up to five authenticated requests per second to see how long the keys worked after the deletion. The test results were "highly unpredictable," as one trial had a 79% authentication success rate after one minute, while another test had just a 5% success rate. Additionally, Aikido's research team found success rates were significantly different based on the VM's region. For example, according to the test results, VMs in GCP's asia-southeast1 had a median request authentication success rate of just 22% after one minute, while the success rates of us-east1 and europe-west1 regions were about 49%. Leon noted that VMs farther away from the US picked up deletion requests faster, which "is the opposite of what you'd expect," though it's unclear why. Related:Oracle Red Bull Racing Team Revs Up Automation to Boost Security "Google's request routing is more complex than 'VM region equals server region'" and a VM in Singapore isn't necessarily talking to servers in Singapore," Leon wrote. "But the pattern was consistent across trials, which points to something about regional infrastructure, caching, or routing affinity driving the difference." Whatever the cause, Leon says the regional differences are "entirely driven by where the researcher (or attacker) originated their requests," and are independent of the customer's geographic location.  API Key Deletion Delays Complicate Incident Response Aikido's report stated that GCP's user interface (UI) for key deletions states, "Once deleted, it can no longer be used to make API requests." Leon wrote that the UI is demonstrably false and leaves customers in the dark about when an API key is fully revoked. Leon tells Dark Reading the revocation windows for Google's API keys, as well as the unpredictable authentication success rates, complicate matters for incident response teams that are dealing with a potential breach. "This breaks the mental model IR teams have when responding to leaked credentials," he says. "It's assumed that when you click 'Delete' or 'Revoke' that the credential no longer works. Now IR teams need to remember that for GCP credentials, a window exists when that 'Deleted' credential still works for attackers." Related:Your Next Breach Will Look Like Business as Usual To that end, Aikido recommended that security teams and IR personnel use a 30-minute window for Google API key deletions. Additionally, organizations should monitor their API requests by credential through the "Enabled APIs and services" portion of the GCP console, and review API requests by credential. "If you see unexpected usage from that credential after deletion, someone could be actively exploiting it," Leon wrote. Aikido reported the findings to Google, but the company closed the report as "won't fix," according to the blog post. Dark Reading contacted Google for comment on the research, but the company did not respond at press time. Leon noted that Google has faster revocations for other types of credentials, as service account deletions propagate across the platform in about five seconds and Gemini's newer API key format is fully revoked in approximately one minute. This suggests that it's "technically solvable" to reduce the revocation windows for Google API keys. "Distributed systems at Google's scale are hard, and this is not a critique of the GCP IAM team," Leon wrote. "But a 23-minute revocation window is fundamentally at odds with what users expect from a delete button." About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management Access More Research Webinars Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure AI-Powered Cybersecurity for Resource-Constrained Organizations How Security Teams should apply Threat Intelligence into their Defenses More Webinars You May Also Like IDENTITY & ACCESS MANAGEMENT SECURITY Delinea's StrongDM Deal Sign of How PAM Has Changed by Jeffrey Schwartz MAR 12, 2026 IDENTITY & ACCESS MANAGEMENT SECURITY Orgs Move to SSO, Passkeys to Solve Bad Password Habits by Nate Nelson, Contributing Writer NOV 13, 2025 IDENTITY & ACCESS MANAGEMENT SECURITY 1Password Addresses Critical AI Browser Agent Security Gap by Arielle Waldman OCT 10, 2025 IDENTITY & ACCESS MANAGEMENT SECURITY NIST Digital Identity Guidelines Evolve With Threat Landscape by Arielle Waldman AUG 14, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE LOADING... RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST AI-Powered Cybersecurity for Resource-Constrained Organizations THURS, JUNE 18, 2026, AT 1PM EST How Security Teams should apply Threat Intelligence into their Defenses THURS, JUNE 11, 2026 AT 1PM EST Your Guide to Securing AI Adoption in Your Organization TUES, JUNE 9, 2026 AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    May 22, 2026
    Archived
    May 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗