CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 22, 2026

Deleted Google API Keys Continue Accessing Gemini, BigQuery, and Maps APIs

Cybersecurity News Archived May 22, 2026 ✓ Full text saved

A newly disclosed issue with Google Cloud API keys reveals that deleted credentials may remain usable for up to 23 minutes, exposing projects to potential abuse even after revocation. The finding raises concerns about delayed credential invalidation across Google’s infrastructure, particularly for sensitive services such as Gemini, BigQuery, and Google Maps APIs. According to Aikido […] The post Deleted Google API Keys Continue Accessing Gemini, BigQuery, and Maps APIs appeared first on Cyber Se

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Deleted Google API Keys Continue Accessing Gemini, BigQuery, and Maps APIs By Abinaya May 22, 2026 A newly disclosed issue with Google Cloud API keys reveals that deleted credentials may remain usable for up to 23 minutes, exposing projects to potential abuse even after revocation. The finding raises concerns about delayed credential invalidation across Google’s infrastructure, particularly for sensitive services such as Gemini, BigQuery, and Google Maps APIs. According to Aikido research, deleting a Google API key does not immediately terminate its access. Instead, revocation propagates gradually across distributed systems, creating a “revocation window” during which the key continues to authenticate requests. Longest observed window: ~23 minutes. Shortest observed window: ~8 minutes. Median duration: ~16 minutes. Attackers with leaked keys can continue making API calls during this period because some backend servers may still accept deleted keys, causing inconsistent enforcement. Deleted Google API Keys Continue Access The issue becomes more severe when high-value services are enabled. If a compromised key has access to Google’s Gemini API, attackers may: Retrieve previously uploaded files. Access cached conversations. Continue interacting with AI endpoints. Similar behavior was observed across other services, including the BigQuery and Maps APIs, indicating that the delay is tied to API key infrastructure rather than individual services. Chart shows invalid requests above valid API requests during testing. (Source: Aikido) Researchers conducted controlled experiments over multiple days: Created and deleted API keys in repeated trials. Sent 3–5 authenticated requests per second post-deletion. Measured how long requests continued to succeed. Results showed unpredictable success rates. For example, one minute after deletion, some trials still saw up to 79% of requests succeed, while others dropped to as low as 5%. This inconsistency makes it difficult to determine when a key is truly invalid. Tests across multiple Google Cloud regions revealed uneven propagation: us-east1: ~49% median success rate. Europe-west1: ~49% median success rate. asia-southeast1: ~22% median success rate. Interestingly, some distant regions rejected deleted keys faster than closer ones, suggesting that routing, caching, or infrastructure differences influence revocation timing. The Google Cloud Console does not clearly indicate that a deleted key is still active. Instead: Deleted keys disappear from the interface immediately. Ongoing requests may still succeed without visibility. Failed requests are grouped under “apikey:UNKNOWN”. This aggregation complicates incident response, as security teams cannot easily attribute activity to a specific deleted key. Restore credentials (Source: Aikido) Not all Google credentials exhibit the same delay: Service account keys: revoked in ~5 seconds. New Gemini API keys (AQ prefix): revoked in ~1 minute. Legacy API keys: up to 23 minutes. This disparity suggests that faster revocation is technically feasible but not implemented for standard API keys. Aikido researcher Joe Leon said Google marked the issue as “won’t fix,” describing the delay as expected behavior in eventually consistent systems rather than a security flaw. While Google documents eventual consistency in IAM systems, it does not explicitly warn users about delayed API key revocation. Security Implications Delayed revocation contradicts typical expectations that deleting credentials immediately blocks access. Even short delays can be exploited, as prior cloud security research demonstrates. For organizations using Google Cloud, this creates several risks: Continued access after credential compromise. Lack of visibility into active misuse. Difficulty enforcing just-in-time (JIT) credential strategies. Until changes are implemented, security teams should adjust their response strategies: Treat API key deletion as a 30-minute process rather than an immediate one. Monitor API usage closely after deletion for suspicious activity. Rotate keys proactively and minimize exposure in public repositories. Prefer service account keys or newer credential types where possible. This discovery highlights a broader challenge in cloud security: balancing scalability with strict authentication guarantees. In the case of Google API keys, the current model leaves a critical gap that attackers can exploit during the revocation window. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Discord Announces End-to-End Encryption by Default for Video and Voice Messages Splunk Patches Multiple Vulnerabilities that Enable DOS Attacks and Expose Sensitive Data Microsoft Exchange, Windows 11, and Cursor Zero-Days Exploited on Pwn2Own Day 2 Critical Apache Flink Vulnerability Enables Remote code execution Attacks Grafana GitHub Breach Linked to TanStack npm Supply Chain Ransomware Latest News Cyber Security News Android Malware Silently Subscribes Victims to Premium Services Without Consent Cyber Security News Operation Dragon Whistle Uses Malicious LNK Files to Target Changzhou University Cyber Security Canadian Man Arrested for Operating KimWolf DDoS Botnet Hacking 2 Million Devices Cyber Security News Hackers Hide Malware Payloads Inside Nested macOS-Like Folders to Evade Scanning Cyber Security News Splunk Patches Multiple Vulnerabilities that Enable DOS Attacks and Expose Sensitive Data
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 22, 2026
    Archived
    May 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗