API security Deleted Google API keys remain active for up to 23 minutes, study finds May 21, 2026 Share By SC Staff (Adobe Stock) Deleted Google API keys can remain active and authenticate successfully for up to 23 minutes after removal, according to a new study by Aikido Security. The cybersecurity firm conducted 10 controlled trials over two days to measure this delay, revealing a significant window of vulnerability for Google Cloud Platform users, as reported by HackRead. API keys are crucial for authenticating requests between software applications. While the Google Cloud Platform console indicates immediate deletion, researchers found that keys take an average of 16 minutes to become fully inactive, with the longest observed delay reaching 23 minutes. During this period, threat actors possessing a leaked key can access enabled APIs, potentially exfiltrating cached conversations, dumping files from Gemini, and accessing BigQuery or Maps data. This vulnerability stems from eventual consistency in Google's authentication infrastructure, where updates propagate gradually across global servers. Unlike AWS, which had a 4-second revocation window for a similar issue, Google's delay presents a larger risk, according to researchers. Incident response is further complicated as post-deletion authentication attempts are bundled into an "apikey:UNKNOWN" category. While Google has faster revocation for other key types, they have classified this API key deletion delay as a known property, not a security flaw, advising users to treat deletion as a 30-minute operation. Source: HackRead SC Staff Related Security Operations Command Zero releases APIs to enable programmatic security investigations SC Staff May 1, 2026 The new API endpoints enable security operations teams to integrate Command Zero's investigation engine into their existing security orchestration, automation, and response (SOAR) playbooks, pipelines, and internal tools. Email security Breaking the trade-off: Full email security without deployment friction Paul Wagenseil April 3, 2026 How API-based security is redefining email protection in the face of escalating human risk. Data Security Thousands of API credentials exposed on public websites SC Staff April 2, 2026 The study, detailed in a preprint paper by Standford University, University of California, Davis, and TU Delft researchers, utilized a tool called TruffleHog to scan websites. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms API Security Cloud Computing Greynet You can skip this ad in 5 seconds