API key stolen, charged lost of $, anybody help me

Hi, my API was stolen early this mounth and thousands of requests were made in two days.
How can I recover my money?

Life is so hard!
I think this key should be used in some open source project.
Everyone be careful!

OpenAI automatically rotate keys in the event of a key leak.
Best Practices

OpenAI doesn’t detect usage patterns to “rotate”. Someone can steal your key from where you used it insecurely and empty or max out your account.

OpenAI has some scanning tools or agreements with partners to detect keys that are “leaked”, by being disclosed in github code (as mentioned in email), for example, or that come from fingerprinted apps that violate key policies.

Well, consider it a paid-for lesson on programming security :sweat_smile: . The good news is that whoever commandeered your API key didn’t decide to torch you afterwards with some policy-breaking requests.

2 Likes

Please see this page for next steps: How can I report fraud or suspicious activity? | OpenAI Help Center

2 Likes

On a more helpful less sarcastic note. In the future, to secure your API keys, make sure they are not hardcoded in any project files of yours.

For example:

import openai

key = "123-insecure-567"
openai.api_key = key

Should be:

from dotenv import dotenv_values
import openai

config = dotenv_values(".env")
openai.api = config["KEY"]

Where KEY is a variable inside a .env file in the root of your project that looks like this:

KEY="654-secure-321"

And your gitignore file (in the root of your project) should have this in it:

*.env

Additionally, never use a program/service that requires you to enter your own openai api key. Just like not your keys, not your bitcoin, “not your device, not your key anymore.” If they are legit, they’ll just charge you for the usage rather than have some convoluted system where you sign up but submit your key.

Anyway, sorry you got screwed, better luck in the future hopefully.