So weird, we are facing the exact same issue. Never switched on GPT4 Turbo or GPT4 and getting massive bills! We revoked all keys and triple checked for leakage, but we had best practices in place. And it still continues to bill!! The problem started on Nov 13 after the latest release of GPT4, so I suspect something is off.
Don’t put API keys in your app. They will be stolen and abused.
You need a backend server with client authentication. Clients must only communicate with you, not OpenAI.
Did you place the key inside the app? Like hard coded into the app?
Something tells me that you’ve put your API key directly inside the app code, didn’t you?