Deleted Google API Keys Remain Active up to 23 Minutes, Study Finds

A study by Aikido Security reveals that deleted Google API keys remain active for up to 23 minutes due to eventual consistency in the company’s authentication infrastructure. This delay allows attackers to potentially access GCP, Gemini, BigQuery, and Maps data even after a key has been revoked.