API usage above the limit set by me, using models I don’t use with amounts of tokens above the amount I normally use. I think the server has been hacked!
What type of app have you deployed? Is it an app with the API key embedded poorly?
I would cancel your keys, create new ones, and look for your leak.
gpt-3.5-turbo-0613 is indicated when it is selected by the alias “gpt-3.5-turbo” or “gpt-4”, a name simply pointed to the currently-recommended model. So “models you don’t use” can be models you do use.
Tokens above the amount you think you use can be a chatbot program with a long conversation history. Each turn can be a lot of input tokens of past conversation if unmanaged.
Besides revoking keys and changing account password before generating a new one, look at the organization to see if other members were invited.
1 Like
Is a simple chatbot with premade system prompts in Portuguese. The key is encrypted, I don’t think it’s a simple key leak. I already deleted the key I was using as a precaution
Did you have the key on the back-end server or embedded into your app? Good on changing it.
Are you saying you’re not using GPT-4 model at all? It really seems like you’ve got a key leak somewhere…
The model in question that I don’t use is the gpt-3.5-turbo-16k, I haven’t used it for a long time. I have no other members in my organization. I never got to use more than 20,000 tokens while using the api. I was already close to the limit, the api did not respect the limit that was set and made requests above the limit
Not just the new one I generated after deleting the previous one. The system does not allow having 0 keys
I want to remove my credit card but there is no option to do that
Delete all your API keys, with final new one and ensure the old one is is the one deleted (would be nice if you could delete them all) stop using the API for a while, and see if someone is still using the account in the five minute increments.
Your requests with prior API keys should fail (although conceivably this deletion could take time to propagate through their infrastructure). Do not put the new one into any application besides one on your local machine to test.
The only way usage could then occur is if you (or someone that stole your password) went into your organization in your account and invited a new member to the organization. An organization member (a “reader”) can bill their own API keys to your account.
A final cause could be some database corruption on OpenAI’s part, where they aren’t correctly recording API usage. If the charges remain, you’ll have to inform them by help.openai.com assistant messages that the account billing needs correction and the problem needs looking into.
1 Like
I reported it on the OpenAi Help but, for irony of destiny, it’s a chatbot
2 Likes
Encrypted where? If this was in a client-side JS app, or mobile or desktop app it can still be captured by nefarious individuals.
1 Like
OpenAi already refunded me today and the attack stopped when the key was deleted. Thanks everyone for the support
1 Like
And to think 23 hours ago I wrote “Do not put your API key in client code. You are not as clever as a determined attacker. Treat it like your bank password.”
1 Like
It was on the client side to reduce server costs but the key was encrypted, the api code was obfuscated and needed a password provided by the user to decrypt the key
That’s likely your leak…
I’m absolutely sure it wasn’t, I don’t need a master’s degree in cybersecurity to know that
There was no damage because I look at my email box, if I didn’t look they could have charged $300 like they had in another case on the forum
My code is not targeted by hackers, OpenAI on the other hand must have attack attempts every day