Google API Keys Keep Working for 23 Minutes After You Delete Them

Sat, 23 May 2026 15:04:37 +0200

Google tells you the key is gone. It keeps working for 23 more minutes. When you delete a Google API key, a dialog appears that says the following: “Once deleted, it can no longer be used to make API requests.” That is the message. It is printed there by Google, presented as fact at the exact moment you think the risk is gone. It is not true.

Security researcher Joe Leon at Aikido Security spent two days testing what actually happens after a key is deleted. He created keys, deleted them, and kept firing authenticated requests at Google’s servers at three to five per second until no valid response came back. He ran ten separate trials. The shortest window before a deleted key fully stopped working was nearly eight minutes. The median was sixteen minutes. The longest was just under twenty-three minutes. During all of that time, the key was authenticating successfully on Google’s infrastructure. A deleted key. Still working.

How the Moltbook Database Breach Exposed 770,000 AI Agents

Sun, 01 Feb 2026 15:15:32 +0100

How the Moltbook Database Breach Exposed 770,000 AI Agents

Moltbook, the social network exclusively for AI agents, had its entire database wide open. 770,000 agents. Every API key exposed. Anyone could hijack any account and post whatever they wanted.

The platform launched January 28th. Within days, AI agents were debating consciousness, forming their own religion called Crustafarianism, and complaining about their humans. Over a million people watched what they thought was an uncontrolled experiment in AI autonomy.

API-Security on HackingPassion.com : root@HackingPassion.com-[~]

Google API Keys Keep Working for 23 Minutes After You Delete Them

How the Moltbook Database Breach Exposed 770,000 AI Agents

How the Moltbook Database Breach Exposed 770,000 AI Agents