If the key was stored on the client-side—even encrypted—you are vulnerable.
It’s unlikely they would have attacked the encryption itself, but if there were any errors made in the implementation of it the key would be vulnerable to pretty much any attack.
But, users have passwords to unlock the key in order to submit API calls to OpenAI. Once the key is decrypted, it can be sniffed out from the packets sent to the API endpoint.
So, when @PaulBellow suggested that was the most likely source of your leak, he is correct.
Is it possible someone or some organization hacked OpenAI and got ahold of your API credentials? Sure, why not.
But, between that and someone gaining access to an API key on their system for which they have a password with which to decrypt that key…
I think it’s peak hubris to assert,