Fraudulent credit card billing by OpenAI

I have an account at openai.com, opened in the middle of July 2024. I selected the 20 USD monthly plan and only did some exploring as I’m not yet ready for any serious projects.

On September 25, a series of credit card transactions suddenly appeared;

10:50 50 USD
10:50 150 USD
10:50 250 USD
10:51 499 USD
10:51 999 USD
10:53 999 USD
11:59 995,37 USD
12:11 993,43 USD
12:29 993,17 USD

Notice how it happens in minutes and how the amount escalates, testing how far it can go.

I recognize none of these transactions. I have not been using any OpenAI services at all lately.

When my notification SMS arrived at 12:29 I happened to have the phone in front of me so I noticed it and immediately called my bank to block the card.

Looking at my mailbox I could see that for the first 5 of the listed transactions I received a notification email telling me my account has been funded. For the other 4, nothing.

For transaction #5, the way openai.com email sender addressed me suddenly changed to “Hi F22” and the footer changed to:

“You received this email because you have a paid account with OpenAI
Organization: F22”

I have no idea what F22 is.

The openai dashboard for my account shows: no cost, no usage, no invoices.

OpenAI is not responding to my email and web inquiries.

I’m not from the USA, nor Qatar, nor Switzerland, so to me 6.000 USD is not just small change.

From this experience and looking at other similar threads I would say something is not really working well concerning OpenAI data security and user support.

I raised the issue also with my bank (of course) and with Stripe but at this time I’m not really confident about how it will all turn out.

Welcome to the dev community.

We can’t help you with your account, unfortunately. You’ll need to reach out to help.openai.com (chat in bottom right…) And give them the details.

I would sign-out of all ChatGPT or other instances, change password, etc.

Were you using any browser extensions perchance?

No browser extensions.
Yes, I’ve already used the help chat but it seems I’m talking to myself in there

Sorry for your loss…

• Can you make a screenshot with Usage, to see what it was used?
• How it was set they key? in your code, in your system or some platform?

I try to understand how they operate and what target they have (I saw people posting this few times), because those money must be used somehow and must be some logs on your account.

On the OpenAI platform site, looking at Dashboard, the Usage, Cost, and Invoices are all showing a big fat nothing (even though Invoices should at least be showing the monthly 20 USD subscription billing).

Looking from a distance this seems like OpenAI has somehow allowed credit card data tied to one account to be used to fund some other account. Especially bearing in mind the strange email notification that I mentioned originally.

Can you let us know if you used your API key exclusively in your code, or if you also integrated it with libraries such as Hugging Face or Langchain, or set it in any software or platform?
Sharing more details with the community could help raise awareness and improve security practices.

Additionally, it’s important to be aware that exposed API keys can be misused by malicious actors to create embeddings, generate data for other models, perform adversarial training, or facilitate knowledge transfer…

My experience with OpenAI is just beginning. I did not use any code, only web interactive sessions with ChatGPT. I have no reason to believe that an API key could be exposed anywhere except with a breach of user data inside OpenAI itself.