Key leaked unexpectedly, any possible reason?

My api key was leaked unexpectedly. My organization realized it after it hit the rate limits. However, the key was not deployed to any application and was only used locally through Python’s official API. I’m 100% sure I never uploaded the key online or revealed it to anyone(haven’t uploaded anything to github public in the past 6 months, private also doesn’t contain it).
I did read the instruction: Best Practices for API Key Safety | OpenAI Help Center
It provides no information on how it was possibly leaked.
Now I have deleted the key, but I need your help to investigate the problem and to prevent future leaks. Thank you so much,

1 Like

Welcome to the forum, Jierui.

Are you the only person with access to the keys?

Thank you for the rapid reply. Yes. This key was only revealed to me myself once.

Ok, it would be a good idea to visit the site and view the icon in the bottom right corner, it opens up a chatbot, enter your query and email in there to get the ball rolling on asking the account support people to look into it. They are extremely busy with the volume of new users so it can take several weeks.

On a more technical note, how have you been using your API key? on your home computer? works PC? is your source code on any networked drives? You mention that you have not used github in 6months, have you used any other offsite backup system? How are you storing your API keys for the code to read? (i.e. environment variables, 3rd party key management system, etc. etc.)

Thank you so much! I already sent a request for help. I put them in my code, unencrypted. As I’m constantly using different openai accounts for different research projects, it is not so convenient to store them as env variables. I never backed up the project, files nor the key on the cloud or anywhere except locally.

Ok, well, at this point, so long as you have reset your keys, things should be fine, this is assuming your PC is not compromised. I think I would be tempted to use the system environment variable from now on, despite the added difficulty.

1 Like

There’s a black market for keys, e.g. Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web Marketplaces

The most common leak is via packet sniffing or reverse engineering a published app, but it doesn’t sound like you did that. It’s possible that you could have had yours stolen through a targeted attack.

Thanks for the analysis. I realized that I did use a non-authentic third-party proxy (VPN) globally on my computer, which is a very risky behavior as I reflected on it. That could potentially be the reason why it was leaked. (A kind reminder to those who saw this post: be careful with proxy you cannot trust).