{"id":60706,"date":"2026-05-21T20:23:00","date_gmt":"2026-05-21T20:23:00","guid":{"rendered":"https:\/\/www.theregister.com\/a\/5244504"},"modified":"2026-05-21T20:23:00","modified_gmt":"2026-05-21T20:23:00","slug":"threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\/","title":{"rendered":"Threat hunters find Google API keys still usable 23 minutes after deletion"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/image.theregister.com\/5244583.jpg?imageId=5244583&amp;x=0&amp;y=0&amp;cropw=100&amp;croph=100&amp;panox=0&amp;panoy=0&amp;panow=100&amp;panoh=100&amp;width=1200&amp;height=683\" class=\"ff-og-image-inserted\"><\/div>\n<p>You know your Google API key has leaked so you rush to disable it before bad actors can start running up charges on your account. Bad news: According to <a href=\"https:\/\/www.aikido.dev\/blog\/google-api-keys-deletion\">security researchers<\/a>&nbsp;at Aikido, people can use the API keys for up to 23 minutes after a user deletes them, creating a window of opportunity that, when combined with Google\u2019s automatic billing tier upgrades, can devastate victims.<\/p>\n<p>\u201cWe&#8217;ve identified a substantial window where an attacker with access to a leaked Google API key can continue to misuse that credential, after the user believes the key is revoked,\u201d Joseph Leon, a security researcher with Aikido, told <span data-lab-italic=\"italic\" class=\"italic m-italic\">The Register<\/span>. \u201cIn that window, an attacker could run up charges, pull sensitive files uploaded to Gemini, and exfiltrate cached context.\u201d&nbsp;<\/p>\n<p>Aikido tested the gap during 10 trials over two days. In each trial, researchers created an API key, deleted it, and then sent three to five authenticated requests per second until no valid response came back for several minutes.&nbsp;<\/p>\n<p>From the time a user deletes the Google API key to when it can no longer be used propagates gradually across Google&#8217;s infrastructure, he said. Some servers reject the key within seconds while others keep accepting it for 23 minutes.<\/p>\n<p>What this means is that an attacker holding a deleted key can repeatedly send requests until one reaches a server that has not caught up, Leon said. If Gemini is enabled on the project, they can dump files that were uploaded and exfiltrate cached conversations.<\/p>\n<p>The paper cited a similar problem researchers disclosed in December involving<a href=\"https:\/\/www.offensai.com\/blog\/aws-iam-eventual-consistency-persistence\"> AWS keys<\/a>. In that case, after deletion, attackers had a four-second window to exploit, and researchers showed how they could create new credentials in that time.&nbsp;<\/p>\n<p>\u201cFour seconds was enough to matter on AWS,\u201d Leon wrote in the paper. \u201cGiven recent attention to Google API keys <a href=\"https:\/\/trufflesecurity.com\/blog\/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules\">used to access Gemini<\/a>, we set out to measure how long Google&#8217;s API key revocation window remains open.\u201d&nbsp;<\/p>\n<h3>Flaws can hit devs with huge surprise bills<\/h3>\n<p><span data-lab-italic=\"italic\" class=\"italic m-italic\">The Register<\/span> has reported <a href=\"https:\/\/www.theregister.com\/ai-ml\/2026\/05\/13\/google-users-fight-for-refunds-as-unauthorized-api-usage-bills-soar\/5239160\">numerous cases of Google<\/a> API key abuse in which developers are suddenly hit with five figure bills after their credentials are compromised.&nbsp;<\/p>\n<p>The problem was compounded in April after Google reworked its billing policy to include spending tiers for users. While developers initially thought of it as a way to limit costs, Google automatically upgrades that spending tier to the next highest level without their knowledge.&nbsp;<\/p>\n<p>For users who have been working with Google for more than 30 days and have spent more than $1,000 over the lifetime of the account, their cap can be increased from $250 to $100,000 if their usage spikes \u2013 a windfall for crooks if the credentials fall into the wrong hands.<\/p>\n<p>Developers whose Google API keys were stolen told <span data-lab-italic=\"italic\" class=\"italic m-italic\">The Register&nbsp;<\/span>that&nbsp;their bills rocketed up to five figures minutes after their credentials were stolen, as bad actors loaded up on Google\u2019s Gemini models such as Nano Banana and its video production model Veo 3.&nbsp;<\/p>\n<p>Google <a href=\"https:\/\/www.theregister.com\/devops\/2026\/05\/15\/google-reimburses-register-sources-who-were-victims-of-api-fraud\/5241429\">issued refunds in the three instances<\/a> that <span data-lab-italic=\"italic\" class=\"italic m-italic\">The Register<\/span> brought to its attention, returning $154,000 to those developers.<\/p>\n<p>The victims told <span data-lab-italic=\"italic\" class=\"italic m-italic\">The Register<\/span> that, during the attack, they were frantically trying to shut down the spending and turn off access to their projects even as costs climbed by thousands of dollars. Leon said in cases where a Google developer tries to shut off access to their account, deleting the API key will still give crooks time to inflict damage.&nbsp;<\/p>\n<p>\u201cIt&#8217;s hard to put a dollar figure on it,\u201d Leon told us. \u201cThe window averaged 16 minutes in our testing and stretched to nearly 23 at the worst. During that window, the success rate is wildly unpredictable. We saw minutes where over 90% of requests still authenticated, and others where fewer than 1% did. An attacker who knows this can send requests at high volume to maximize their odds of hitting a server that hasn&#8217;t caught up. For Google API keys with Gemini access, the damage isn&#8217;t just a compute bill. It&#8217;s the files and cached context an attacker can exfiltrate before the key actually dies.\u201d&nbsp;<\/p>\n<p>Using VMs, Aikido tested its findings across three Google Cloud regions \u2013 east coast US, western Europe, and southeast Asia \u2013 then they spot checked those results on different dates. For each trial, Aikido deleted a single API key and sent requests from each of the three VMs in parallel, Leon wrote in the paper.&nbsp;<\/p>\n<p>\u201cVMs further from the US picked up the deletion faster, which is the opposite of what you&#8217;d expect. We can&#8217;t say exactly why from the outside. Google&#8217;s request routing is more complex than \u2018VM region equals server region,\u2019 and a VM in Singapore isn&#8217;t necessarily talking to servers in Singapore,\u201d the paper states. \u201cBut the pattern was consistent across trials, which points to something about regional infrastructure, caching, or routing affinity driving the difference.\u201d&nbsp;<\/p>\n<p>The trial used keys with access to Gemini, but he observed the same behavior with keys scoped to other GCP APIs, such as BigQuery and Maps. Google has built faster revocation for other credential types, Leon said.&nbsp;<\/p>\n<p>He said Google\u2019s service account API credential revocations propagate in about 5 seconds. Gemini&#8217;s newer API key format \u2013 the one that starts with AQ \u2013 propagates in about a minute.&nbsp;<\/p>\n<p>\u201cBoth run at Google scale. Both suggest this is technically solvable for Google API keys, too,\u201d Leon wrote.&nbsp;<\/p>\n<div data-element-guid=\"afe083ca-6701-48e9-9bd8-f8827dd7fb42\" class=\"lab4 column articleList layout_vertical imageLayout_left small-12 large-4 small-abs-12 large-abs-4 abs_grid_4 desktop-floatLeft mobile-floatLeft grid-vas-start mobile-grid-vas-start\">\n<div class=\"content border_width_0 border_width_mobile_0 border-radius-48 border-radius-mobile_48\">\n<h2 class=\"article-list-title t19 font-RobotoCondensed\">MORE CONTEXT<\/h2>\n<\/p><\/div>\n<\/div>\n<p>But Google told Aikido it has no plans to address the 23-minute gap researchers found with its other API keys.&nbsp;<\/p>\n<p>\u201cAfter reviewing our report, they closed it as \u2018Won&#8217;t Fix (Infeasible)\u2019 with the comment \u2018the delay due to propagation of the deletion of these keys is working as intended,\u2019 \u201c Leon told us.<\/p>\n<p><span data-lab-italic=\"italic\" class=\"italic m-italic\">The Register<\/span> has reached out to Google about this research, but has not yet received a response.&nbsp; \u00ae <\/p>\n<p> <img decoding=\"async\" src=\"https:\/\/image.theregister.com\/?imageId=5244583&#038;width=800\">READ MORE <a href=\"https:\/\/www.theregister.com\/devops\/2026\/05\/21\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\/5244504\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> Plenty of time for bad actors to grab data or hit you with a giant bill READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":60707,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[1254],"class_list":["post-60706","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-the-register","tag-devops"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Threat hunters find Google API keys still usable 23 minutes after deletion 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Threat hunters find Google API keys still usable 23 minutes after deletion 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-21T20:23:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/image.theregister.com\/5244583.jpg?imageId=5244583&amp;x=0&amp;y=0&amp;cropw=100&amp;croph=100&amp;panox=0&amp;panoy=0&amp;panow=100&amp;panoh=100&amp;width=1200&amp;height=683\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Threat hunters find Google API keys still usable 23 minutes after deletion\",\"datePublished\":\"2026-05-21T20:23:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\\\/\"},\"wordCount\":999,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion.jpg\",\"keywords\":[\"devops\"],\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\\\/\",\"name\":\"Threat hunters find Google API keys still usable 23 minutes after deletion 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion.jpg\",\"datePublished\":\"2026-05-21T20:23:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion.jpg\",\"width\":100,\"height\":68},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"devops\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/devops\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Threat hunters find Google API keys still usable 23 minutes after deletion\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Threat hunters find Google API keys still usable 23 minutes after deletion 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\/","og_locale":"en_US","og_type":"article","og_title":"Threat hunters find Google API keys still usable 23 minutes after deletion 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-05-21T20:23:00+00:00","og_image":[{"url":"https:\/\/image.theregister.com\/5244583.jpg?imageId=5244583&amp;x=0&amp;y=0&amp;cropw=100&amp;croph=100&amp;panox=0&amp;panoy=0&amp;panow=100&amp;panoh=100&amp;width=1200&amp;height=683","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Threat hunters find Google API keys still usable 23 minutes after deletion","datePublished":"2026-05-21T20:23:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\/"},"wordCount":999,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion.jpg","keywords":["devops"],"articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\/","url":"https:\/\/www.threatshub.org\/blog\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\/","name":"Threat hunters find Google API keys still usable 23 minutes after deletion 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion.jpg","datePublished":"2026-05-21T20:23:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2026\/05\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion.jpg","width":100,"height":68},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/threat-hunters-find-google-api-keys-still-usable-23-minutes-after-deletion\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"devops","item":"https:\/\/www.threatshub.org\/blog\/tag\/devops\/"},{"@type":"ListItem","position":3,"name":"Threat hunters find Google API keys still usable 23 minutes after deletion"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60706","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60706"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60706\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/60707"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60706"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60706"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60706"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}