API key stolen, charged lost of $, no response from support

So, They key in the app was encrypted. All openAI APIs are https.
I have changed the keys twice, without any success.
Yes I controlled the limits, increasing it incrementally and testing/observing the usage Vs charges.
Was hard to imagine it would be any key theft issue in the beginign so was trying to find out issues/misuse in my own app and its monetization model.
changing keys and testing resulted in overcharges despite strict control on limits.
Eventually, I created a new account ,used a different Credit card and deposited 10$. used only two messages on OPENAI playgroud using 380 tokens and costed only 0.01$. So it all looked normal now.

Next day my 10$ were gone, 22 requests made and thousands of tokens shown to be used. Now this was not my app, I never used that account or its key in my app.
So eventually, I think its OPENAI side’s problem. They are not responding because they know they have a messed up security around keysa and tokens.

1. Where are you storing your key
2. Why are you encrypting it
3. Whatever you are doing, you are exposing your key.

Seems straightforward…

1: storing the secret alongside the means to unlock it, and giving it to anybody;
2: because he’s smarter than a world full of cryptanalyists…
3: deeper compromise… or simply used “assistants” on the API and it cleaned out an account in one fell swoop.

While I personally have not encountered charges for services I don’t recall using, it’s important to note the following:

Usage limits apply to your entire account, not just specific models such as GPT-4.

Furthermore, the enforcement of usage limits may not always be precise, and as a result, a burst of frequent requests in a short timeframe could lead to charges that surpass these limits.

https://platform.openai.com/docs/guides/production-best-practices

Additionally, if you’re observing fewer than 300 requests per month yet are being billed for thousands, it’s possible that your API key has been compromised and misused by an unauthorized party.

It’s also concerning that there was a need to encrypt your API key.
If there was a necessity to encrypt your keys (for instance, if they were stored in a potentially visible location), it’s crucial to be aware of the potential for such encryption to be decrypted.

In fact, not only OpenAI’s APIs, but also API keys are easy targets for hackers, and no matter how much encryption is applied, the risk is unavoidable.

I’m not suggesting it’s your fault without cause, but the details you’ve provided indicate that the issues may stem from inadequate API key management.

https://help.openai.com/en/articles/5112595-best-practices-for-api-key-safety

I recommend revisiting the best practices for API key management.

Best of luck with your future business ventures!

This English reply is based on a Japanese reply I prepared and translated into English by me with the help of DeepL and GPT-4.

I strongly advise against following suggestions to ‘let the credit card company handle it,’ which essentially equates to initiating a merchant chargeback. If you value your relationship with OpenAI or wish to use their API in the future, it’s crucial to understand that merchants generally view chargebacks quite unfavorably.

I put credit on my account which I think will be enough to cover me for a while for reasonable usage then delete my credit card details from the website so if anyone gets my details they can’t run up a huge bill. just requires keeping an eye on my credits.