Hi,
3-4 times in the last 6 months I’ve gotten this message:
Hi there,
We have determined that your OpenAI API key “Ixyz” (sk-pro…3DS) was leaked, and have disabled it with immediate effect.
This may be because you committed your API key to an online service such as GitHub, or your key may have been compromised in another way.
It’s not on Git and not shared. I’m thinking something gets hacked, but don’t know. Anyone else experienced this? Thoughts?
Thanks guys!
Have you, by any chance, built an app that faces the web and written it inside client (browser) JS code? Or have you made an app where you put the API key in? Or something along these lines?
Kind of yes. It’s used as a bot within a WordPress plugin. So it’s in PHP within WP, but the directories should be blocked.
Is that Wordpress plugin written in PHP or JS? I’m not proficient in WP, but if it’s JS I’m almost sure it gets exposed to the client, regardless if you block folders and whatnot. As soon as you expose anything client-side, bad guys can read the JS and extract keys and other sensitive information.
If you want, you can DM me your page and I’ll take a look to see if it exposes it.
The key is in PHP, but there is other JS.
DMing you… Thank you.
Your WordPress has been hacked…
Export all Posts, delete everything and reinstall. Save the theme and check it for suspicious code.