May 22, 2026 20:00:00

Researchers have confirmed that leaked Google API keys may remain usable for approximately 23 minutes after deletion.

API keys are authentication credentials that apps and services use to access APIs such as Google Cloud, and if they are

leaked , they can be misused by third parties. Typically, when developers notice that their API keys have been leaked, they try to stop the damage by deleting the API keys from the management screen. However, researchers at security company Aikido have reported that in some cases, authentication was successful for up to approximately 23 minutes even after deleting Google API keys.

Google API keys keep working after you delete them long enough to be exploited
https://www.aikido.dev/blog/google-api-keys-deletion

Google API Keys Remain Live - YouTube


According to Aikido, the deletion of a Google API key is not reflected across all of Google's infrastructure simultaneously, but rather in stages. An attacker with a leaked API key could potentially hit a server where the deletion information has not yet been reflected by continuing to send a large number of requests after deletion. Aikido investigated the time between a user deleting an API key and the last successful authentication occurring, defining this as the 'time lag until expiration.'

The study found that the time difference until expiration was at least about 8 minutes, with a median of about 16 minutes and a maximum of about 23 minutes. Aikido conducted 10 tests over two days, creating and deleting API keys in each test, and then continuously sending 3 to 5 authentication requests per second.

Large-scale services like Google use a design that gradually reflects changes to data and settings across servers worldwide. Aikido describes this gradual reflection design as a 'mechanism that ultimately ensures consistency.' While this is an effective mechanism for running large-scale systems quickly and stably, applying the same thinking to the deletion of authentication information means that API keys that users think have been 'deleted' can continue to be used by attackers for a period of time.

The damage is not limited to mere authentication delays. Joe Leon of Aikido points out that in projects where Gemini is enabled, attackers may be able to send uploaded files and cached conversation content externally. In other words, API keys that can still be used after deletion are not only a 'problem that increases usage fees,' but also a 'problem that allows data to be exfiltrated.'

According to

The Register , which reported on this issue, there have been multiple reports of developers having their credentials stolen through the misuse of Google API keys and receiving bills amounting to millions of yen in a short period of time. Google revised its billing policy in April 2026 to introduce a tiered spending cap, but for accounts that meet certain conditions, the cap may be automatically raised from $250 (approximately 40,000 yen) to $100,000 (approximately 15.9 million yen) if usage suddenly increases.

Aikido set up virtual machines in three regions: the East US, Western Europe, and Southeast Asia, and conducted five additional tests. The authentication success rate immediately after deletion differed by region, with the Southeast Asian virtual machine having a relatively low success rate, while the East US and Western Europe virtual machines had a higher success rate. However, Aikido explains that they cannot determine the exact cause from the outside because the location of the virtual machine does not necessarily match the location of the server that actually processes the request.

Aikido primarily conducted tests with Google API keys that have access to Gemini, but they confirmed similar behavior with API keys that are limited in scope to Google Cloud APIs such as BigQuery and Maps. On the other hand, deletion of the new Gemini API key format took about one minute to be reflected, while it took about five seconds with Google service account keys. Aikido states that faster revocation processing is technically possible even for systems the size of Google's.

Aikido reported its findings to Google, but Google closed the report, stating that it would 'not make any corrections.' Aikido explained that Google's position was that 'the delay in reflecting the deletion of API keys is expected system behavior and not a security issue.' The Register requested a comment from Google, but reported that no response had been received at the time of writing.

Aikido states that 'until Google implements faster revocation processes, the deletion of leaked Google API keys should be treated as a 'task that takes about 30 minutes' rather than an 'instant completion' process.' Aikido also emphasizes the importance of checking the request status for each credential in the 'Active APIs and Services' section of the Google Cloud console to monitor whether unexpected usage continues after deletion.