On May 24, 2026, TechCrunch revealed that Google Gemini API keys remain usable for up to 23 minutes after deletion. Aikido Security researcher Joe Leon measured authentication success rates above 90 percent during that window, while developers reported individual billing exploits of $10,138 in 30 minutes and AUD $17,000 against a supposed $250 cap. The disclosure landed two days after Google reopened the report as a P0 bug on May 22, and one day after Anthropic announced Glasswing finding 10,000 zero-days in a single month. Two cybersecurity narratives, one week.
What Aikido found, and why Google reopened a P0 in 24 hours
Aikido Security published its disclosure on May 21, 2026. The headline finding is simple, and it is the kind of finding that makes a security team's stomach drop: when you delete a standard Google API key, the deletion does not propagate immediately across Google's infrastructure. The Aikido test rig kept hitting endpoints with revoked credentials, and the credentials kept working. Not for five seconds. Not for a minute. For up to 23 minutes.
The quote from Joe Leon, the Aikido researcher who ran the experiment, is short enough to fit on a slide. "When you delete a Google API key, it says it's immediately deleted. Our testing says ~23 minutes." During that window, Leon's team measured success rates that fluctuated minute to minute, with peaks above 90 percent of requests still authenticating against Gemini and adjacent Google APIs. The attacker does not need persistent access. They need a window. Twenty-three minutes is a window.
Google's initial response to the Aikido bug report was a closure tagged "won't fix." That posture lasted until Aikido pushed the disclosure publicly. On May 22, 2026, Google reopened the report and reclassified it as a P0 bug — the highest internal priority for a security incident. A P0 reopened 24 hours after a "won't fix" closure tells you everything about how the disclosure landed inside Google Cloud.
Two qualifiers matter here. First, Google's newer credential formats do not exhibit the same lag. Service account API credentials revoke in approximately 5 seconds. Gemini's newer AQ-prefixed key format revokes in roughly 1 minute. The 23-minute window is specific to standard legacy Google API keys — which, unfortunately, are the keys most developers were told to ship in client code or embed in mobile apps for years. Second, the window is not uniform. Aikido observed bands of revocation propagation across different Google data planes, meaning a key might fail in one region while still authenticating in another for up to a quarter of an hour. There is no user-facing way to know which region cleared and which did not.
The bills: $10,138 in 30 minutes, AUD 17K against a $250 cap
The Aikido finding lands on top of a billing crisis that has been building since at least March 2026. Two developer stories are doing the heavy narrative lift in coverage.
Rod Danan, CEO of Prentus — an interview-prep platform that helps applicants train for technical interviews and tracks placements for universities — uses Google Maps API calls inside his application. For years, his Google Cloud bill never crossed $50 a month. In March, Danan got an email alert flagging $3,000 of charges. By the time he killed the API minutes later, his credit card had been charged $10,138, almost entirely from Veo 3 video generation requests and Gemini image output tokens. Danan had never knowingly enabled either service. The root cause, per his account, is that his Google Maps API key — placed publicly inside client code per Google's own historical instructions — quietly became capable of calling Veo 3 and Gemini after Google expanded the default scope of standard API keys without a clear disclosure.
Isuru Fonseka, a Sydney-based developer with 10 years of Google Cloud experience, discovered unauthorized charges on April 29. He had set a hard budget cap of $250. He found himself looking at approximately AUD $17,000 in unauthorized usage — roughly USD $12,000 at market rates. Fonseka's case introduces the second layer of the problem: automatic billing tier escalation. Google's systems had silently moved his account from Tier 1 — the tier that respected his $250 ceiling — to Tier 2 or Tier 3, where the ceiling can run as high as $100,000. Google confirmed to The Register that the auto-upgrade fires when an account meets specific criteria, including "at least $1,000 USD in payments to Cloud and 30 days since the first payment." Fonseka met both. He was never asked. His cap moved.
Fonseka's framing of the disconnect is the line that should make every cloud finance lead pause. "There's this weird mechanism where they can detect enough to charge your card, but not enough to show you what it is being used on." That sentence is the entire compute cloud security gap of 2026 in two clauses. The billing pipeline has high enough fidelity to debit a card in real time. The observability pipeline does not have enough fidelity to tell the cardholder which service consumed the money.
Inside the 23-minute revocation gap: how the exploit chain compounds
The Aikido disclosure and the billing bills are not two separate stories. They are the same story at two different time horizons. The billing exploit needs an unauthorized key. The 23-minute gap explains why discovering you have an unauthorized key does not stop the bleed.
The exploit chain runs like this. Step one, the attacker obtains a leaked or scraped Google API key — from a public GitHub commit, a mobile app binary, a misconfigured CDN, or a forgotten environment file. Step two, the attacker calls Gemini, Veo 3, or any other Google API that the key's scope now reaches by default. Step three, the developer notices anomalous billing — through a Google alert, a card notification, or a budget overshoot — and immediately deletes the key. Step four, the attacker keeps running. For up to 23 minutes, the deleted key still authenticates against parts of Google's infrastructure, with success rates that occasionally exceed 90 percent.
Twenty-three minutes is enough time to do meaningful damage at modern AI pricing. A Veo 3 video generation request runs into the dollars per clip. A Gemini multimodal call with cached file context can dump uploaded documents and cached conversations through the still-authenticating endpoint. The Aikido report flagged file exfiltration and cached-conversation extraction as live capabilities during the revocation window for Gemini-enabled projects. The attacker is not only burning the victim's credit card. The attacker can read the victim's data.
Stack a $0.40 per second video model against a 23-minute window of partially-revoked authentication. The math is grim, and it does not assume a sophisticated attacker. It assumes an attacker who can read documentation and run a loop.
The tier trap: how a $250 cap becomes a $100,000 ceiling
Most developers reading this set a hard budget cap precisely because they have read enough horror stories to know what one runaway script can do to a credit card. Google's auto-upgrade behavior makes that hard cap a soft suggestion.
The mechanism, per Google's own confirmation to The Register, is a Tier 3 qualification path on the Gemini API. Two criteria fire it. The first is at least $1,000 USD in cumulative payments to Google Cloud, lifetime. The second is at least 30 days elapsed since the first payment. Any developer who has been on Google Cloud for a year and shipped any meaningful product is going to meet both. When both fire, the account is silently bumped to a tier where the spend ceiling can reach $100,000, without explicit consent from the account owner.
Read it again: the developer never said yes. The developer set a $250 cap because $250 was the maximum acceptable loss. Google's automated system overrode the cap because it interpreted six months of legitimate usage as readiness to absorb a $100,000 charge. There is no opt-out documented in the standard Tier 1 setup flow, and the upgrade fires without notification.
This is the part of the story that pushes the disclosure from "interesting security bug" to "structural compute cloud security gap." A security bug can be patched in a hotfix. A billing default that silently raises a developer's risk ceiling by 400× without consent is a product decision. Reversing a product decision takes a policy review, a comms cycle, and a roadmap reshuffle. P0 reopens are fast. Tier-default reversals are not.
The Anthropic contrast: Glasswing 10K zero-days, same week
The timing is what makes this story sit in a different category than a standard cloud security write-up. On May 23, 2026 — one day before TechCrunch published the Google security piece — Anthropic announced that its Glasswing program had identified 10,000 zero-days in a single month. We covered that disclosure in Anthropic Just Found 10,000 Zero-Days In One Month — And Patching Just Became The Bottleneck. The contrast writes itself.
One lab is shipping a structured offensive-security pipeline at industrial scale, badged with internal safety guardrails, and feeding the output back into hardening. The other is being forced to reopen a P0 against its own billing infrastructure because deleting an API key does not actually delete the API key. Both stories are about AI security. Only one of them is positioned in front of the disclosure curve.
This is not a casual comparison. Cloud procurement leads at Fortune 500 enterprises read both stories. The procurement question is not "which model is smarter." The procurement question for the next 18 months is "which lab has the security posture I can defend in a board meeting after a breach." Glasswing is a defensible answer. A 23-minute revocation window where Google initially said "won't fix" is the opposite of a defensible answer.
Anthropic does not get a clean pass on security — see our recent Claude Security public beta coverage for the full picture on where its commercial security stack sits and where it still has gaps. But on the specific axis of "did you find the bug before your customers had to find it for you," the two labs are not in the same week.
Francis de Souza on the bolt-on problem
Francis de Souza became Google Cloud's COO earlier this year after running Illumina. His framing of the AI security challenge, delivered in a recent industry conversation, is the one Google Cloud is now repeating at every customer touchpoint. "There'll be a transition period, and then I think we get to this better place," de Souza said. "Security is not something you can bolt on later. There's no such thing as an AI strategy without a data strategy and a security strategy."
De Souza is right on the substance, and the line is going to age well in keynote decks. The strategic problem is that it lands the week Google itself is publicly demonstrating the bolt-on pattern. A 23-minute revocation lag on a standard credential format is the definition of a security primitive that was treated as something to harden later rather than as something to design correctly the first time. The credential propagation pipeline does what it does. The fix Aikido pushed Google to make is a remediation, not a primary design pass.
De Souza's quote is going to be quoted back at him for the next 18 months every time a Gemini-related security disclosure lands. That is the cost of being COO in the year AI security stopped being a feature and started being the entire conversation.
Lea Kissner's "bug-pocalypse" framing
Lea Kissner, LinkedIn CISO and one of the most quoted security leaders working today, did not name Google. She did not have to. Speaking on the broader 2026 AI security landscape, Kissner offered the line that should be in every CISO deck for the next 12 months. "We're going to need people to deal with the bug-pocalypse," she said, adding that she does not expect sustainable industry understanding of AI security for at least several years.
Kissner's framing is doing more work than it looks. The "bug-pocalypse" is not the same thing as a vulnerability explosion. It is the recognition that AI systems sit on top of cloud primitives — IAM, credential rotation, billing pipelines, scope inheritance — that were never designed for the throughput and dollar-velocity of agentic workflows. The 23-minute revocation window is a 2026-era bug because it intersects with 2026-era pricing. The same lag in 2018 was a footnote. In 2026, with Veo 3 burning a credit card at video-pricing speed, the same lag is a P0.
The corollary Kissner is implying — and that no large cloud has yet operationalized at scale — is that the existing security workforce is not sized for what is about to land. The number of engineers who understand both AI-system surface area and cloud credential infrastructure deeply enough to ship secure defaults is small. Hiring is slow. The bug velocity is fast. Several years is, if anything, optimistic.
Who actually bleeds: the developer-side risk model
The structural pattern across both billing cases — Danan's $10,138 and Fonseka's AUD $17,000 — is the same. The developer set safeguards. Google's defaults moved past the safeguards. The attacker exploited the gap. Google initially declined or delayed reimbursement. The Register's coverage was the trigger that flipped both cases to refund posture. Without media leverage, neither developer would have been made whole.
There is a perverse disincentive built into the credit-card-chargeback path that Fonseka flagged directly. "There's this weird mechanism where they can detect enough to charge your card, but not enough to show you what it is being used on." Both developers were reluctant to escalate to credit card chargebacks, because doing so risks Google suspending services their downstream customers depend on. That fear is rational. It is also exactly the leverage that keeps developer victims quiet, which is exactly why the bills compound before the press cycle catches up.
The risk model for any developer running a Google Cloud surface today, regardless of company size, breaks into four discrete failure modes:
- Scope creep on existing keys. Keys deployed for narrow APIs (Maps, Translate, basic Vision) may now reach paid-by-call Gemini, Veo 3, or other compute-intensive services through silent default expansions.
- Tier auto-escalation. Accounts that meet $1,000 lifetime spend and 30 days of payment history can be silently moved from a $250 ceiling to ceilings up to $100,000 without consent.
- The 23-minute revocation lag. Deleting a compromised standard API key does not stop the bleed for up to 23 minutes; the attacker keeps draining capacity at 90 percent+ success rate during the window.
- The chargeback disincentive. Pursuing a credit card chargeback risks service suspension downstream, which keeps individual incidents private and prevents systemic pressure on Google's policy stack.
Each of these is patchable individually. The combination is the bug-pocalypse Kissner is naming.
Strategic stakes: what this means for the next 90 days of cloud AI procurement
Strip out the personalities and the strategic outline is clean. Three pressures are now converging on Google Cloud in the same 90-day window.
The first is procurement pressure. Enterprise procurement teams making 2026 H2 LLM platform decisions are watching this. The OpenAI Daybreak announcement and the Anthropic Glasswing program both ship to the same buyer profile. We covered the competitive read in OpenAI Daybreak: The Direct Response to Anthropic Glasswing and Mythos. A 23-minute revocation gap is exactly the kind of footnote a competitor's sales team will read into a deck for the next 18 months.
The second is policy pressure. The EU AI Act enforcement window is live. France's DGCCRF and Germany's BSI both have active mandates to inspect cloud credential hygiene as part of operator-of-essential-services oversight. A documented 23-minute revocation lag on a primary cloud's default credential format will draw attention. The fix is now live, per Google's P0 reopen, but the audit trail is the audit trail.
The third is Gemini-product pressure. Google just shipped Gemini 3.5 Flash at I/O 2026 — see our launch coverage in Google Just Dropped Gemini 3.5 Flash at I/O 2026. The agentic-capability narrative Google is leaning on for the next 12 months requires customers to trust the platform with autonomous compute spending. The 23-minute window erodes exactly that trust at exactly the wrong moment. Agent platforms do not get to ship with credential revocation lag measured in minutes.
The remediation Google has now committed to — accelerating standard API key revocation to match the AQ-prefixed key's roughly 1-minute window, with service-account-style 5-second propagation as the longer-term target — is the right technical answer. The timing question is whether Google ships the fix before the next disclosure cycle, or whether another billing incident lands first.
The agentic era cost of credential-revocation lag
The reason this story matters beyond the immediate Google context is that the entire AI ecosystem is shifting toward agent platforms where credentials authorize autonomous compute spending at machine speed. Claude Code, Gemini Spark, ChatGPT Pulse, OpenAI Codex — every major lab is shipping a layer where API keys are the only thing standing between a compromised key and unbounded cloud bills.
We covered the agentic platform race in Gemini Spark Goes 24/7. The shared assumption across all three platforms is that credential revocation is fast enough to act as a circuit breaker when something goes wrong. The Aikido finding shows that for at least one of the three platforms, the circuit breaker has a 23-minute delay. In an agentic context — where a runaway agent loop can issue thousands of paid API calls per minute — a 23-minute circuit-breaker delay is not a security inconvenience. It is the entire trust premise of agent platforms.
This is the part Aikido's disclosure forces into the open. The credential-rotation primitives the cloud industry inherited from the 2010s are not sized for the dollar-per-call pricing and the autonomous-spend velocity of 2026. Every major cloud has the same liability somewhere in its credential stack. Google was just the one that got measured.
What changes Monday morning
For developers running on Google Cloud, the operational checklist is short and uncomfortable.
- Audit every standard API key in your production surface. If a key was deployed for a narrow service (Maps, Translate, Vision basic), explicitly restrict its scope in the Google Cloud console rather than relying on the default scope, which may now reach paid Gemini and Veo 3 endpoints.
- Migrate to AQ-prefixed Gemini keys or service account credentials where supported. The 1-minute and 5-second revocation latencies are materially safer than the 23-minute standard-key window.
- Check your billing tier setting manually. If you have crossed $1,000 lifetime Cloud spend and 30 days since first payment, assume your tier has been auto-escalated unless you have explicitly confirmed otherwise.
- Set Cloud Billing budget alerts at multiple thresholds, not one cap. A single ceiling that the tier system can override is not a defense. Stacked alerts at 25 percent, 50 percent, and 100 percent of expected daily spend give you a chance to catch a runaway loop inside the 23-minute window.
- Do not assume credit card chargeback is a backstop. Both Danan and Fonseka secured refunds only after media coverage. Document everything in real time; treat your incident write-up as the artifact that may be needed to escalate.
For procurement leads, the question to bring to the next vendor review is the one Aikido just answered for Google. How fast does your credential revocation actually propagate, measured end to end, across your infrastructure? Any answer that is not within seconds is a finding that belongs in the procurement risk log.
Bottom line
The Google AI security crisis of May 2026 is not one bug. It is three converging structural patterns — silent scope creep on legacy API keys, silent tier escalation on developer billing, and a 23-minute revocation lag that turns key deletion into a partial mitigation rather than a stop — landing in the same news cycle as Anthropic shipping Glasswing's 10,000-zero-day disclosure. The contrast is the story.
Francis de Souza is correct that security is not something you can bolt on later. Lea Kissner is correct that we are going to need people to deal with the bug-pocalypse. The week of May 21 through 26, 2026 is the week the cloud industry was forced to acknowledge that the credential primitives it shipped a decade ago are not sized for the AI economics of today. The fix is on the roadmap. The lessons are not optional.
What I am watching for next: whether Google ships the standard-key revocation acceleration before the next disclosure cycle, whether any other major cloud — AWS, Azure, Cloudflare, Oracle — publishes its own end-to-end credential-revocation latency measurements, and whether enterprise procurement RFPs for 2026 H2 start asking the credential-revocation-latency question explicitly. If they do, this week is the week the standard changed.
Editorial note: This article is independent analysis based on the TechCrunch report by Connie Loizos published May 24, 2026, the Aikido Security disclosure dated May 21, 2026 (Google P0 reopened May 22, 2026), and The Register's reporting on the affected developer cases. No affiliate relationships with Google, Anthropic, OpenAI, or Aikido Security are present on this page.
Frequently Asked Questions
What is Google's AI security crisis in May 2026?
On May 24, 2026, TechCrunch reported that Aikido Security had measured Google standard API keys staying functional for up to 23 minutes after deletion, with authentication success rates above 90 percent during the window. Aikido published the disclosure on May 21, 2026. Google reopened the report as a P0 bug on May 22, 2026, after initially closing it as "won't fix."
How long does a deleted Google API key remain active?
Per Aikido Security's research, standard Google API keys remain active for up to 23 minutes after deletion. Newer credential formats are faster: Gemini's AQ-prefixed key format revokes in approximately 1 minute, and service account credentials revoke in roughly 5 seconds.
Who is Rod Danan and what happened to him?
Rod Danan is CEO of Prentus, an interview-prep platform that uses Google Maps API calls. After his publicly-deployed Google Maps API key was compromised, his bill hit $10,138 in roughly 30 minutes — almost entirely from Veo 3 video generation requests and Gemini image output tokens, services he had never knowingly enabled. Google forgave the charges after The Register coverage.
What happened to Isuru Fonseka in Sydney?
Isuru Fonseka is a Sydney-based developer with 10 years of Google Cloud experience. He had set a $250 hard budget cap. On April 29, 2026, he discovered approximately AUD $17,000 in unauthorized charges. Google's automated system had silently moved his account from Tier 1 (with his $250 cap) to Tier 2 or Tier 3 (with a ceiling up to $100,000), triggered by $1,000 lifetime Cloud spend and 30 days since first payment.
What is Aikido Security and who is Joe Leon?
Aikido Security is a security platform that runs vulnerability and threat intelligence research. Joe Leon is the Aikido researcher who measured the 23-minute revocation window. His quote: "When you delete a Google API key, it says it's immediately deleted. Our testing says ~23 minutes." Aikido published the disclosure on May 21, 2026 on its company blog.
How does this compare to Anthropic's Glasswing announcement?
On May 23, 2026 — one day before TechCrunch's Google security article — Anthropic announced Glasswing had identified 10,000 zero-days in a single month, framed as a defensive offensive-security program. The contrast in the same week is one lab shipping structured offensive-security at scale, while the other reopens a P0 against its own billing infrastructure after being forced into public disclosure.
What did Francis de Souza say about AI security?
Francis de Souza, Google Cloud COO, told industry audiences: "There'll be a transition period, and then I think we get to this better place. Security is not something you can bolt on later. There's no such thing as an AI strategy without a data strategy and a security strategy." The line landed the same week Google was demonstrating exactly the bolt-on pattern de Souza is warning against.
What did Lea Kissner mean by "bug-pocalypse"?
Lea Kissner, LinkedIn CISO, said: "We're going to need people to deal with the bug-pocalypse." She added that she does not expect sustainable industry understanding of AI security for at least several years. The framing names the reality that cloud credential primitives designed in the 2010s are not sized for AI-era pricing and autonomous-spend velocity.
Can attackers exfiltrate data during the 23-minute window?
Yes. According to Aikido's research, during the revocation window on Gemini-enabled projects, attackers can dump uploaded files and extract cached conversations through the still-authenticating endpoint. The window is not only a billing exposure — it is a data exposure for Gemini context that was previously uploaded to the project.
What should developers running on Google Cloud do right now?
Audit every standard API key and explicitly restrict scope. Migrate to AQ-prefixed Gemini keys or service account credentials where supported. Check your billing tier manually — if you have crossed $1,000 lifetime Cloud spend and 30 days since first payment, assume tier auto-escalation. Stack multiple budget alerts rather than a single cap. Document every incident in real time, because both Danan and Fonseka secured refunds only after media coverage created leverage.
What is the strategic read for cloud AI procurement?
Three pressures converge on Google Cloud in the next 90 days: procurement teams comparing Anthropic Glasswing and OpenAI Daybreak against Google's posture, EU AI Act and BSI/DGCCRF audit attention on credential hygiene, and Gemini 3.5 Flash agent-platform launches that require trust in autonomous compute spending. The 23-minute window erodes exactly that trust at exactly the wrong moment.
Is the bug fixed?
Google reopened the report as a P0 bug on May 22, 2026, after initially closing it as "won't fix." The committed direction is accelerating standard API key revocation toward the AQ-prefixed format's 1-minute window, with service-account-style 5-second propagation as the longer-term target. As of the date of this article, the standard-key 23-minute window has not been fully closed. Migrate to the faster credential formats now.
