Account hacked charged a lot of API calls

Yesterday i had tons of API requests in my OpenAI ChatGPT account, not made by me, charging me now 42$. I dont understand what happened, that wasnt me. I wrote with a “Hacker” who told me:
“your account is compromised already. Via a malicious links.
And for your info it’s gonna be terminated very soon and you lose everything in the account. Despite the revoked keys the hacker already has access to it. Your account has been compromised
Despite the revoked the hacker already has access to it
So am gonna terminate the access. And make it secured.”
This guy wanted 100 $ from me for this process, which i assumed was just another scam, so I denied. He sent me this photo as a proof and said he used a “Dark web annonymous method”.
I am now really scared, what can i do? I ran Virus Check, deleted all Cookies, changed all passwords, deleted all GitHub Repos, revoked all API Keys and wrote to OpenAI (but they are slow). I’m scared because he told me: “And for your info it’s gonna be terminated very soon and you lose everything in the account”.
But i honestly think he also only wanted my money… But I am really paranoid right now.

You’ve likely installed some fake GPT app and put your info into it, or some scammy Chrome extension that steals credentials.

MalwareBytes, besides obviously cleaning off any silly extensions or apps you were fooled into using.

Then you waste as much of the “hacker’s” time as possible.

Report the incident to your local law enforcement and change your password, ensure you have 2 factor authentication turned on.

Do you have any applications that are public? do they have the API in their code? if so a competent coder could retrieve it, which is why the best practice advice is to ensure that you use a separate API handling server with industry standard authentication, OAuth for example, to allow your app to authenticate with the intermediate web server that serves web pages and API calls.

There are also a number of unofficial browser extensions and websites that ask for your API key and that could be a potential issue.

1 Like

I revoked all keys and changed all passwords, hope this blocks the access for now. This guy told me it wouldnt matter, cuz “they” had access via a infected link to my account. Changed all passwords, set down rate limits, deleted all cookies and all downloaded GitHub Repos. Hope this helps. Any more suggestions what i can do?

Shouldnt revoking ALL API’s also help out in this case? I do have 2FA with Authentificator APP on, thats what makes me feel so unsecure now. I really cant understand. For now i wont create any API’s anymore that actually scared me a little. But the debit card is still in there and openAI Support is insane slow.

Well, in the main time you can change your hard limit to below the current usage amount and then the system will not let any more be used.

1 Like

revoking all API keys should indeed prevent further access.

1 Like

I had it yesterday at soft 20 and hard 40 but it got set up to the max of 120 somehow. I really dont understand how, without my Authentification app

Really should I go to police with this incident?

Now’s the part where you beg them to remove the farcical “infected link”. Negotiate with them to pay. Make fake screenshots where you paid. Tell them you need to get money from your grandma. Say she can only do a direct wire transfer, get their bank details. Ask them to install your screen sharing link on their computer so you can see them remove their malware first, logging their IP. Etc. Then threaten and embarrass them with their stupidity.

I would, if it were me. But you must do as you see fit, most Law enforcement agencies have a cyber crime division for this type of thing.

1 Like

it doesn’t work, I have a hard limit of 5 dollar, but I was charged for 148 dollars during one day. There is no way to stop overspending if your openai account is hackered.

I have replied to your other post here API charged $300+ above spending hard limit - #6 by Foxabilo

Security is my specialty… unless they have a root kit in a device of yours changing your passwords and 2 factor authentication should work… there is no master list of permanently hacked devices… if there were my job would be so much easier lol… what it is… your information got leaked from a site hack or bad extension then published for sale… Blackhat on telegram literally sells “scampages” for 25$ usd … you have to be careful when entering your credentials… LinkedIn is a popular scampage… not the legit site of course but they fake the login screen … and if you reuse passwords (do not reuse passwords) they have potential access to every account with that password/login combo

1 Like

thanks bro your comment is worth some buck by itlself and can save many other bucks. Ty! ^^