Glitch or the server was hacked

If the key was stored on the client-side—even encrypted—you are vulnerable.

It’s unlikely they would have attacked the encryption itself, but if there were any errors made in the implementation of it the key would be vulnerable to pretty much any attack.

But, users have passwords to unlock the key in order to submit API calls to OpenAI. Once the key is decrypted, it can be sniffed out from the packets sent to the API endpoint.

So, when @PaulBellow suggested that was the most likely source of your leak, he is correct.

Is it possible someone or some organization hacked OpenAI and got ahold of your API credentials? Sure, why not.

But, between that and someone gaining access to an API key on their system for which they have a password with which to decrypt that key…

I think it’s peak hubris to assert,

1 Like

How exactly does this work? If the user is sending the API request then the network logs would display the unencrypted information.

If I understand correctly the user would store the encrypted key locally. The user would send the key & password so the server can decrypt it and make the call? So you don’t have to store their key? But you say the API code is obfuscated? I’m assuming it’s the code to your API?

So you have a universal key? I don’t understand. How are you identifying your users?


Graph of API usage, this last peak was on the day of the attack. it was already reaching the configured limit, every other time the limit was reached the service was cut off instantly. However, on the day of the attack, the use of the api greatly exceeded the configured limit until the key was erased.