Google API keys remain usable for up to 23 minutes after deletion – a breach risk that could trigger GDPR and CCPA penalties

What happened

Aikido’s threat‑hunting team discovered that a Google Cloud API key continues to work for an average of 16 minutes and as long as 23 minutes after the owner deletes it from the console. During that window the key can still authenticate against services such as Gemini, BigQuery, Maps and Cloud Storage. By flooding the API with requests, an attacker can:

• Exhaust the victim’s quota and generate five‑figure bills.
• Download files stored in Gemini or Cloud Storage.
• Exfiltrate cached conversational context from AI models.

The researchers ran ten trials across three regions (US‑East, EU‑West, AP‑Southeast) and observed wildly varying success rates – some servers accepted the key for more than 90 % of the requests, others for less than 1 % – confirming that revocation propagates unevenly through Google’s global infrastructure.

Legal basis

• GDPR Art. 32 – requires “a level of security appropriate to the risk” and mandates that controllers implement measures to ensure the confidentiality, integrity, availability and resilience of processing systems. A known 23‑minute revocation gap that can be exploited to steal personal data or cause financial harm is likely a breach of this obligation.
• GDPR Art. 33‑34 – obliges controllers to notify the supervisory authority and affected data subjects without undue delay when a breach is likely to result in a risk to the rights and freedoms of individuals. If exfiltrated data includes personal information, the 23‑minute window triggers the notification requirement.
• CCPA § 1798.150(b) – gives California residents the right to be informed of a breach of “personal information” and requires businesses to implement reasonable security procedures. A predictable revocation delay could be deemed “unreasonable” under the statute.
• Potential fines – Under the GDPR, violations can attract up to €20 million or 4 % of global annual turnover, whichever is higher. CCPA penalties can reach $7,500 per intentional violation.

Impact on users and companies

• Financial exposure – Developers reported surprise invoices exceeding $100 000 after a stolen key was used to run Gemini models. Even with refunds, the cash‑flow impact can be severe.
• Data‑privacy breach – Files uploaded to Gemini or Cloud Storage may contain personal identifiers, health data, or proprietary information. Once exfiltrated, the data is outside the controller’s control, raising liability under both GDPR and CCPA.
• Reputational damage – Public disclosures of massive cloud‑bill spikes or data leaks erode customer trust and can trigger contract penalties with partners.
• Operational disruption – Teams spend valuable time scrambling to delete keys, shut down projects and dispute charges, diverting resources from core business.

What changes are needed

1. Immediate revocation hardening
   • Deploy service‑account credentials instead of API keys wherever possible. Service‑account token revocation propagates in ~5 seconds, according to Google’s own data.
   • Use the newer “AQ‑” API‑key format, which Google says revokes in about a minute, and monitor for any keys still using the legacy format.
2. Automated key‑rotation & monitoring
   • Implement a CI/CD pipeline that rotates keys every 30 days and logs each rotation to a SIEM.
   • Enable Cloud Asset Inventory alerts for API‑Key deletion events and trigger an automated verification request to confirm the key is no longer functional.
3. Billing safeguards
   • Set hard spending caps per project in the Google Cloud Console and enable budget alerts that trigger a webhook to suspend the project when a threshold (e.g., $500) is breached.
   • Consider using Google’s budget alerts with automatic project suspension feature to stop runaway usage before the revocation window expires.
4. Incident‑response playbook
   • Add a specific step for “API‑key compromise” that includes: immediate key deletion, parallel verification requests from multiple regions, and a rapid budget‑cap increase request to the finance team.
   • Document the need to notify supervisory authorities within 72 hours if personal data may have been accessed, per GDPR Art. 33.
5. Vendor engagement
   • Raise the issue with Google Cloud Support and request a formal risk‑assessment of the revocation delay. While Google has labelled the behavior as “working as intended,” regulators may view it as a failure to provide adequate security.
   • If Google does not remediate, consider filing a complaint with the relevant data‑protection authority (e.g., the Irish Data Protection Commission for EU‑based accounts) citing non‑compliance with Art. 32.

Broader regulatory context

The Aikido findings echo a similar AWS‑key delay disclosed last year, where a four‑second revocation window still qualified as a material breach. Regulators are increasingly scrutinising cloud‑provider credential lifecycles because they sit at the intersection of data protection and financial risk. The European Data Protection Board has warned that “inadequate key‑revocation mechanisms may constitute a systemic security weakness.”

What developers can do today

• Audit all active API keys in the Google Cloud Console (gcloud alpha services api-keys list).
• Replace any key that accesses sensitive services (Gemini, Cloud Storage, BigQuery) with a short‑lived service‑account token.
• Enable Organization‑level policy constraints that forbid the creation of new API keys without manager approval.
• Test revocation yourself: create a key, delete it, and immediately send a request from a separate VM. Record the time until the request fails – this will give you a baseline for your own environment.

Conclusion

A 23‑minute revocation gap is not a technical curiosity; it is a concrete legal risk. Under GDPR and CCPA, organisations must demonstrate that they have taken reasonable steps to protect personal data and prevent unauthorised billing. Continuing to rely on long‑lived API keys without additional safeguards could be interpreted as negligence, opening the door to hefty fines, mandatory remediation and loss of customer confidence.

Resources

• Google Cloud documentation on API key best practices
• GDPR full text – Article 32 on security of processing: https://gdpr-info.eu/art-32-gdpr/
• CCPA text – Section 1798.150(b): https://oag.ca.gov/privacy/ccpa
• Aikido’s research paper (PDF): https://aikido.io/research/google-api-key-revocation.pdf