Hi, my API was stolen early this week and thousands of requests were made in two days. I’ve since made steps to remove the api key, and secure the new one. Unfortunately my account was charged hundreds of dollars. I’ve reached out to support multiple times over the week and no one has gotten back to me. Does anyone know how I can get support on this?
You can contact your credit care company and they will handle it for you.
You will need to explain to them what happened and they will take it from there.
That is the easiest way @provmusic
HTH
Genuinely interested to understand how your API key was exposed?
1 Like
Thank you for the reply. Is that the same as a charge back? Do you know if this would affect my open ai account? I don’t want my account to be shut down.
I am using the api for a mobile app. The app was connecting directly to the api, meaning the api key was stored locally on the app. If you intercept the request, you can steal the key. I have since routed the api call through my server which requires a valid JWT in order to authenticate the request. The api key is no longer stored locally on the app.
2 Likes
Ouch. That’s a hard lesson to learn. At least you spotted it and I hope you can recover some of the unauthorised spend.
Thank you for replying. I was worried that it may have been an exploit in the OpenAi platform or the API.
1 Like
Did you configure your account for a soft limit and/or a hard limit on usage in the billing section?
I did yeah, but if the api is cut off my app stops working 
same here, no usage but was charged. waiting for their reply.
same things here for me. in the last two days my usage get over 100X i i just remove the api keys and also set limit but did not work. my billing get increased every 5 minutes with out any usage
2 Likes
This sounds like a serious issue! I was perturbed because my API key was deleted, but this is even worse. Have you heard anything from OpenAI Support?
Yes, in my case someone else has become the owner of my account ! And the only option I get is to Leave the organization!! Worst part is I cant go to billing to delete my credit card , nor can I remove this new owner.
No response from OpenAI till now. Have tweeted out to them as well.
I feel sad because they did not reply to my issue (card declined) as well, but the problem is resolved somehow automatically.
I don’t know about this person in particular… but I was contributing to a project on GitHub and the op had their Openai API where it should have said (put your API here)
You can generate a few apis all at the same time independently of each other … so you could rewrite the app API storage key and be done… the more concerning part is that however that key was exposed… can absolutely happen again if you don’t take measures to stop it
One should never put the key into the app, just remove the old key, push an update to use a proxied API with keys injected, and there you can do some filtering.
Similar situation is happening to a team member of mine. I put $10 into their account and within 48 hours, all of the money was used by someone outside her account using a model we don’t even use. The key was never shared. Luckily, we had a limit and so only the $10 credits were siphoned.
The real bummer- I have been writing to support via email or chat almost every day for the past 2 weeks and have had zero response and this thread makes me less confident this will be fixed or addressed.
The response from support should be sufficiently prompt, depending on the urgency of the matter.
Careful management of API keys is essential, and I intend to be cautious as well,
but even before that, the more urgent the issue, the faster support needs to respond to inquiries from users.
This is a crucial point for them not to lose credibility. I hope that OpenAI’s support pays close attention to this aspect.
1 Like