Executive Summary
In May 2026, security researchers at Aikido Security discovered that Google API keys remain active for up to 23 minutes after deletion, contrary to expectations of immediate revocation. This delay allows attackers possessing deleted keys to continue making authenticated requests, potentially leading to unauthorized data access and financial implications. The research involved multiple trials across different Google Cloud Platform regions, revealing inconsistent revocation times and highlighting a significant security gap in credential management.
This finding underscores the critical need for organizations to reassess their API key management practices, especially in light of increasing reliance on cloud services. The delayed revocation poses challenges for incident response teams, emphasizing the importance of continuous monitoring and implementing additional security measures to mitigate potential exploitation during the revocation window.
Why This Matters Now
The delayed revocation of Google API keys presents an immediate security risk, as attackers can exploit this window to access sensitive data or incur unauthorized charges. Organizations must urgently review and enhance their API key management and monitoring strategies to prevent potential breaches and financial losses.
Attack Path Analysis
An attacker exploited a leaked Google API key to access sensitive data and services. Despite the key's deletion, it remained active for up to 23 minutes, allowing continued unauthorized access. The attacker utilized this window to exfiltrate data and potentially cause further harm.
Kill Chain Progression
Initial Compromise
Description
An attacker obtained a leaked Google API key, granting unauthorized access to associated services.
MITRE ATT&CK® Techniques
Steal Application Access Token
Valid Accounts
Command and Scripting Interpreter: Cloud API
Data from Cloud Storage
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Limit access to system components and cardholder data to only those individuals whose job requires such access.
Control ID: 7.1.1
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Management and Access Control
Control ID: Pillar 2: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Google API key deletion delays create prolonged vulnerability windows for IT infrastructure, enabling continued unauthorized access to cloud services and data exfiltration opportunities.
Computer Software/Engineering
Software development teams face extended security exposure when rotating compromised GCP API keys, allowing attackers persistent access to code repositories and deployment pipelines.
Financial Services
Banking systems using Google Cloud APIs remain vulnerable up to 23 minutes post-deletion, risking unauthorized financial data access and regulatory compliance violations.
Health Care / Life Sciences
Healthcare organizations face HIPAA compliance risks as deleted Google API keys enable continued unauthorized access to patient data and medical systems.
Sources
- Google API Keys Remain Active After Deletionhttps://www.darkreading.com/identity-access-management-security/google-api-keys-active-after-deletionVerified
- Deleted Google API keys keep working for up to 23 minutes, researchers warnhttps://www.helpnetsecurity.com/2026/05/22/deleted-google-api-keys-risk/Verified
- Threat hunters find Google API keys still usable 23 minutes after deletionhttps://www.theregister.com/devops/2026/05/21/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion/5244504Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit the leaked API key by enforcing strict identity-based access controls and segmenting workloads, thereby reducing unauthorized access and data exfiltration.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's unauthorized access may have been constrained by identity-aware policies, limiting their ability to exploit the leaked API key.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited by segmenting workloads and enforcing least-privilege access.
Control: East-West Traffic Security
Mitigation: Lateral movement within the cloud environment would likely have been constrained, limiting access to additional resources.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control activities may have been detected and constrained, reducing their ability to manipulate data.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts would likely have been restricted, reducing the volume of data the attacker could transfer.
The overall impact of the breach may have been reduced, limiting the extent of data exposure and associated financial losses.
Impact at a Glance
Affected Business Functions
- Cloud Service Management
- Data Security
- Financial Operations
Estimated downtime: N/A
Estimated loss: N/A
Potential unauthorized access to sensitive data and services during the revocation delay period.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to limit access and reduce the attack surface.
- • Enhance Egress Security & Policy Enforcement to monitor and control outbound traffic.
- • Utilize Threat Detection & Anomaly Response to identify and respond to unauthorized activities.
- • Apply Multicloud Visibility & Control to gain comprehensive insights across cloud environments.
- • Enforce Secure Hybrid Connectivity (DCE) to ensure secure communication between on-premises and cloud resources.
