Source: Dark Reading — 21 May 2026
What we are tracking
A security researcher discovered the API keys can still be used for 23 minutes after deletion, even though the cloud provider claims deletion is immediate.
RingSafe analysis
The 23-minute gap between API key deletion and effective revocation has real consequence for Indian product teams running on Google Cloud, Maps Platform, and Firebase: “I deleted the key as soon as I saw the leak” buys an attacker a generous window to extract data, spin up paid resources, or pivot laterally. The right primitive is rotation plus invalidation plus alerting — delete the key, immediately issue a new one bound to the same service, and run a Cloud Audit Logs query for the deleted key’s activity for the following 30 minutes as a deliberate detection step. MITRE ATT&CK T1552.001 (Credentials in Files) at the exposure stage; T1078.004 (Cloud Accounts) at the use stage. Under DPDP Section 8, any API key with access to user data triggers breach-notification analysis the moment unauthorised use is suspected — and “I revoked it five minutes ago” no longer holds as a defence against use within the 23-minute window.
Read the original report
Google API Keys Remain Active After Deletion → at Dark Reading
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.