Hi, my API was stolen early this week and thousands of requests were made in two days. I’ve since made steps to remove the api key, and secure the new one. Unfortunately my account was charged hundreds of dollars. I’ve reached out to support multiple times over the week and no one has gotten back to me. Does anyone know how I can get support on this?
You can contact your credit care company and they will handle it for you.
You will need to explain to them what happened and they will take it from there.
That is the easiest way @provmusic
HTH
Genuinely interested to understand how your API key was exposed?
1 Like
Thank you for the reply. Is that the same as a charge back? Do you know if this would affect my open ai account? I don’t want my account to be shut down.
I am using the api for a mobile app. The app was connecting directly to the api, meaning the api key was stored locally on the app. If you intercept the request, you can steal the key. I have since routed the api call through my server which requires a valid JWT in order to authenticate the request. The api key is no longer stored locally on the app.
2 Likes
Ouch. That’s a hard lesson to learn. At least you spotted it and I hope you can recover some of the unauthorised spend.
Thank you for replying. I was worried that it may have been an exploit in the OpenAi platform or the API.
1 Like
Did you configure your account for a soft limit and/or a hard limit on usage in the billing section?
I did yeah, but if the api is cut off my app stops working 
same here, no usage but was charged. waiting for their reply.
same things here for me. in the last two days my usage get over 100X i i just remove the api keys and also set limit but did not work. my billing get increased every 5 minutes with out any usage
2 Likes
This sounds like a serious issue! I was perturbed because my API key was deleted, but this is even worse. Have you heard anything from OpenAI Support?
Yes, in my case someone else has become the owner of my account ! And the only option I get is to Leave the organization!! Worst part is I cant go to billing to delete my credit card , nor can I remove this new owner.
No response from OpenAI till now. Have tweeted out to them as well.
I feel sad because they did not reply to my issue (card declined) as well, but the problem is resolved somehow automatically.
I don’t know about this person in particular… but I was contributing to a project on GitHub and the op had their Openai API where it should have said (put your API here)
You can generate a few apis all at the same time independently of each other … so you could rewrite the app API storage key and be done… the more concerning part is that however that key was exposed… can absolutely happen again if you don’t take measures to stop it
One should never put the key into the app, just remove the old key, push an update to use a proxied API with keys injected, and there you can do some filtering.
Similar situation is happening to a team member of mine. I put $10 into their account and within 48 hours, all of the money was used by someone outside her account using a model we don’t even use. The key was never shared. Luckily, we had a limit and so only the $10 credits were siphoned.
The real bummer- I have been writing to support via email or chat almost every day for the past 2 weeks and have had zero response and this thread makes me less confident this will be fixed or addressed.
The response from support should be sufficiently prompt, depending on the urgency of the matter.
Careful management of API keys is essential, and I intend to be cautious as well,
but even before that, the more urgent the issue, the faster support needs to respond to inquiries from users.
This is a crucial point for them not to lose credibility. I hope that OpenAI’s support pays close attention to this aspect.
1 Like
Happening with me exactly the same way. My app uses key to let users use 2-3 free messages. But I am being charged 100s of $ monthly. Number of requests are in hundreds and customers are less then 50. Firebase analytics show API requests less than 300 a month but I am being charged for thousands of requests. I have restricted use of chat GPT4 in API but the usage on openAI platform shows Majority requests costing GPT4 rates.
Support is not helpful at all, they respond and promise to contact back after checking but they never do. Deleted keys, updated apps multiple times. But no use.
I really doubt if the keys are being stolen from my app, it must be openAI side the problem exists.
So far I had been charged 4000$ for nothing…
So frusteded at OpenAI’s whole billing and charging support team.
1 Like
Let me guess: you put the API key in the app software so any hacker could pull it out and abuse. There are adversaries that look for exactly this naivete to go key hunting for training AIs on GPT-4. Sorry.
You cannot do that. You must have a gateway server for your app that knows your customer, and makes requests on their behalf - including sending inputs to moderators.
You have hard limits you also could have set to have stopped this at any point.
Change your account password, or that of the OpenAI authentication method. Make a new API key and revoke all others. Do not use that key. The app is now useless as it should be. If your account itself is hacked, you may need to put in a request through the help assistant to have staff reset all browser sessions.
1 Like