[neilv]

I had just composed a comment with the exact same two quotes before I saw yours.

I suppose "abundance of caution" might apply, if they determined that the only ways it could've leaked were from requests that were logged, and they've removed all the ways and checked all the logs.

But if I had to guess, even a brief exposure can be picked up by bots (and perhaps they can already see log entries for this). Even if no one at all picked it up, there'd still be the question of whether traces of it are still left behind on various infrastructure, in storage and caches (even ML training?) not intended for key safety.

[fjni]

You are right of course. There’s a scenario where they have exhausted all possible ways in which it could have leaked, determined that it wasn’t and decided despite that conclusion to rotate the key. That would be doing so purely out of abundance of caution.