惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
V
V2EX
V
Visual Studio Blog
博客园_首页
Last Week in AI
Last Week in AI
Apple Machine Learning Research
Apple Machine Learning Research
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
S
SegmentFault 最新的问题
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Martin Fowler
Martin Fowler
Recent Announcements
Recent Announcements
J
Java Code Geeks
月光博客
月光博客
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
F
Fortinet All Blogs
P
Privacy & Cybersecurity Law Blog
C
CERT Recently Published Vulnerability Notes
C
CXSECURITY Database RSS Feed - CXSecurity.com
B
Blog RSS Feed
S
Schneier on Security
酷 壳 – CoolShell
酷 壳 – CoolShell
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
W
WeLiveSecurity
A
Arctic Wolf
U
Unit 42
博客园 - 司徒正美
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
有赞技术团队
有赞技术团队
Recorded Future
Recorded Future
Engineering at Meta
Engineering at Meta
Google DeepMind News
Google DeepMind News
大猫的无限游戏
大猫的无限游戏
Microsoft Security Blog
Microsoft Security Blog
Hacker News: Ask HN
Hacker News: Ask HN
量子位
B
Blog
T
The Exploit Database - CXSecurity.com
C
Cisco Blogs
博客园 - 三生石上(FineUI控件)
H
Help Net Security
博客园 - 叶小钗
C
Cyber Attacks, Cyber Crime and Cyber Security
L
LINUX DO - 热门话题
Hugging Face - Blog
Hugging Face - Blog
Google DeepMind News
Google DeepMind News
小众软件
小众软件
雷峰网
雷峰网
TaoSecurity Blog
TaoSecurity Blog
Schneier on Security
Schneier on Security

Consumer Insights

The ransomware negotiator who was working for the other side After years on the run, alleged Ryuk ransomware operator pleads guilty INTERPOL crackdown shows scammers shifting to social media Meta lets strangers remix your public Instagram photos with AI—here’s how to opt out Invited to a "job interview" with Netflix or OpenAI? Beware! Your Google password could be at risk Two arrested over credit card phishing - as the Netherlands is named Europe's worst for payment fraud India pauses WhatsApp username feature over security concerns Alleged teen ransomware hustler faces US charges after arrest in Finland WhatsApp usernames explained: how to reserve yours and stay safe Scammers race to cash in on Venezuelan earthquake disaster USB drives carrying China-linked malware infected Japanese military networks for nearly a year WhatsApp tests new safety prompt before you chat with strangers Social media is worth celebrating. It's also worth protecting. Polish police dismantle SIM-swap gang accused of crypto theft Operation Endgame deals fresh blow to StealC and Amadey malware networks Hacker hijacks Brazil's national alert system, sending "misanthropy" to millions of phones Cybercrime now rivals traditional crime across parts of Asia Apple's Hide My Email tweak leaves privacy fans fuming Americans lost $3.5 billion to imposter scams last year — and the scams are getting harder to spot Scammers have killed the physical Steam Gift cards Crypto investment scam sends couriers to collect victims' cash, FBI warns Maine forced to take down data breach portal after fake notices filed with authorities Privacy own-goal: World Cup blunder leaks Lionel Messi's passport details Why schools remain one of cybercriminals' favourite targets WhatsApp detects new spyware activity from Israel’s NSO Group despite court order Got a LinkedIn message from a recruiter? It might be Chinese intelligence, warn FBI and MI5 Europol cracks down on illegal streaming globally Hackers didn't hack Instagram; they just asked Meta AI FBI Warns Fans About FIFA Scams Ahead of 2026 World Cup Virtual knife, real lawsuit: Counter-Strike skin dispute ends in court As Deepfakes Spread, YouTube Makes AI Labels Harder to Miss Carnival breach exposes data of nearly 6 million people Police arrest man following hack of Ajax football club MyPillow listed on ransomware gang's leak site, but denies it has been breached FBI warns criminals impersonating IT support to breach law firms FBI warns of Kali365 phishing kit that breaks into Microsoft 365 accounts — no password required Telecom Executives Plead Guilty to Tech Support Fraud 7-Eleven data breach exposes data of 185,000 people ASIC Warns Australians About Crypto Trading Scams Google Search AI Mode brings a major overhaul Ukrainian police identify perp in $721k infostealer scheme Steam removes horror game after malware steals player data FBI: Crypto ATM Scams Keep Growing as Americans Lose Millions FBI warns students and staff that ShinyHunters may come knocking after Canvas breach Scam Centers Under Pressure as INTERPOL Makes More Arrests FBI Warns Older Adults Lost Billions to Scammers Burst Statistics WordPress flaw under attack Android 17 Will Let Users Verify Whether Their OS Is Legit Suspected Dream Market kingpin arrested after gold bars sent to his home address BitLocker zero-day exposes Windows drives as PoC goes public Apple Fixes ‘Persistent Notifications’ Flaw on Older iPhones Football Ticket Scams Are Rising Fast, Lloyds Bank Warns When ransomware gets physical: cybercriminals turn to threats of violence iPhone-to-Android Texts Are Now Encrypted (RCS Messaging) UK Water Supplier Fined Nearly £1 Million After Hackers Roamed Networks for Almost 2 Years Instagram Drops Encrypted DMs — What This Means for You New fear: Man films woman with smart glasses, seeks money to take video down ClickFix Campaign Uses Compromised WordPress Sites to Spread Vidar Stealer in Australia Inside Department 4: Russia's secret school for hackers Ubuntu’s new AI dreams attracted a very old-fashioned crypto scam on X Chrome 4GB AI model: What weights.bin does Sri Lanka makes 37 arrests as it raids another scam centre DAEMON Tools Lite breach prompts urgent update after malware-laced installer Brits Lost £102 Million to Romance Scams Last Year The Online Safety Act Is Changing the Internet for Kids World Password Day 2026 How Hackers Stole and Sold Roblox Accounts for $250,000 Before Getting Caught Four Years in Prison for Cybersecurity Pros Turned Ransomware Attackers Teenager alleged to be Scattered Spider hacker arrested in Finland, faces US extradition 276 Arrested in Crypto Scam Crackdown Popular WordPress redirect plugin found with years-old backdoor Iran-linked Handala hackers leak US Marines data, send chilling WhatsApp threats Alleged Silk Typhoon hacker extradited to the United States to face charges FTC: Social Media Scams Cost Americans $2.1 Billion in 2025 French police arrest 21-year-old "HexDex" hacker over 100 alleged data breaches iOS Flaw Exposed ‘Deleted’ Signal Messages Sony Starts Enforcing PlayStation Age Verification; UK and Ireland Are First Ransomware ‘Negotiator’ Faces 20 Years in Prison for Allegedly Betraying His Employers You’ve Got Mail and It’s Tracking Your Warship Crypto Investment Scam Costs Woman in Hong Kong Nearly $1 Million Operation PowerOFF warns 75,000 DDoS users Singer loses life savings to fake wallet downloaded from the Apple App Store AgingFly malware targets Ukraine government, hospitals 108 malicious Chrome extensions caught stealing Google and Telegram data from 20,000 users Rockstar Games confirms breach after ShinyHunters leaks stolen analytics data FBI: Cybercrime Losses Hit $21 Billion in 2025, Fueled by AI Life imprisonment for Cambodian scam compound operators - but will it make a difference? Fake Claude Code leak on GitHub spreads Vidar malware Apple Expands ‘DarkSword’ Patch to More iPhones and iPads Nigerian romance scammer jailed after being caught out by fellow fraudster Fake WhatsApp Clone Used in Spyware Campaign, Meta Warns Fake CERT-UA emails spread AGEWHEEZE in ukraine Alleged RedLine malware developer extradited to United States The Scam That Tricks You Into Infecting Your Own Mac Iranian hackers breach FBI director's personal email, and post his CV and photos online Don't Ignore This Security Alert Apple Sent to iPhone Lock Screens Meta and YouTube Designed Addictive Platforms, Jury Finds TikTok Business phishing campaign targets advertisers Lapsus$ claims AstraZeneca breach exposes code and credentials How one man used 10,000 bots to steal $8,000,000 from music artists
Deleted Google API keys may remain active for 23 minutes
Vlad CONSTANTINESCU · 2026-05-22 · via Consumer Insights

Google API keys may keep working after deletion, giving attackers time to abuse Gemini access and generate costly cloud charges.

A risky revocation gap

Security researchers at Aikido say deleted Google API keys can continue authenticating after users remove them, with the longest observed window reaching 23 minutes. As many developers treat deletion as an emergency brake after sensitive data leaks, this finding demonstrates how simply removing impacted components isn’t always a silver bullet.

Aikido ran 10 trials, sending repeated authentication requests after deleting newly created keys. Some Google systems rejected the credentials quickly, but others kept accepting them until revocation propagated.

Gemini access raises the stakes

The risk extends beyond nuisance traffic, as the research shows a stolen key tied to a project with Gemini enabled could be exploited to access uploaded files, cached context and billable AI services before the key finally stops working.

That delay grows even more dangerous when threat actors automate high-value requests. Even if jus some backend servers still honor the deleted credential, repeated attempts increase the odds of successful abuse.

Billing controls may not stop the damage

The discovery comes amid growing concern over runaway AI bills. Google’s Gemini API billing model employs usage tiers based on payment history, and Google says higher tiers can reach spending caps from $20,000 to $100,000 or more.

Google recently introduced project spend caps and dashboards, but the research suggests response plans should not rely on key deletion alone. Developers should restrict keys by service and client, avoid exposing them in code or URLs, monitor unusual usage and rotate credentials proactively.

Google reportedly declines a fix

Aikido says Google classified the behavior as intended and closed the report as infeasible to fix. The researchers argue the delay is technically solvable, citing faster propagation for other Google credential types and newer Gemini key formats.

Cloud and AI developers should treat leaked Google API keys as active even after deletion. Incident response should include disabling affected services, reviewing activity, checking cached data and contacting billing support immediately.