Keys can be “leaked” by syncing code to an online repo service.
Keys can be “leaked” by foolishly placing them in an app instead of building a backend.
Keys can be leaked by an insecure backend file.
OpenAI regularly scans for such leaks, by agreements with several services.