Threat hunters find Google API keys still usable 23 minutes after deletion
Security researchers have found that Google API keys can remain usable for up to 23 minutes after deletion. This creates a significant risk for developers, as attackers can exploit this window to incur charges or access sensitive data. The issue has been exacerbated by Google's billing policy changes, which can lead to unexpectedly high costs for victims.
- ▪Researchers at Aikido discovered that deleted Google API keys can still be used for up to 23 minutes.
- ▪During this time, attackers can run up charges or access sensitive files if the project has Gemini enabled.
- ▪Google's recent billing policy changes allow for automatic upgrades to spending tiers, increasing the potential financial damage.
Opening excerpt (first ~120 words) tap to expand
(function() { let windowUrl = window.location.href; windowUrl = windowUrl.substring(windowUrl.indexOf('?') + 1); let messageElement = document.querySelector('.shareableMessage'); if (windowUrl && windowUrl.includes('code') && windowUrl.includes('expires')) { messageElement.style.display = 'block'; } })(); DevOps Threat hunters find Google API keys still usable 23 minutes after deletion Plenty of time for bad actors to grab data or hit you with a giant bill O'Ryan Johnson O'Ryan Johnson Published thu 21 May 2026 // 21:23 UTC You know your Google API key has leaked so you rush to disable it before bad actors can start running up charges on your account.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at The Register.
Discussion
0 commentsMore from The Register
