I think this is making at least some waves in google. I literally just got an email from them with the subject "[Action Advised] Review Google Cloud credential security best practices"

A slew of recommendations, one of them being:

Disable Dormant Keys: Audit your active keys and decommission any that show no activity over the last 30 days.

(Although I don't think this even addresses the underlying issue)