I’m utterly beside myself. I received a bill today from openai for a hundred dollars. I checked the API logs and found a bunch of Russian and Chinese text. It looks like they were using my API key to primarily generate images but there’s also a bunch of “Hi!” messages, which makes me think they’re running some sort of scan to see if they receive chatgpt responses.
I checked my app (API key is NOT embedded in my app) and Firebase/Google Cloud’s logs and there’s no traffic to OpenAI from anyone but me. I also ran git log -p -S ‘sk-proj’ --all and git log -p -S ‘OPENAI’ --all just to ensure I didn’t accidentally include the API key in some earlier code (even though it’s not public) that was uploaded to Git and nothing came up. Also, I store all my passwords in an encrypted file on my computer. So, clearly they were able to get my API key from some other means.
I’ve created a new API key and I’m going to more closely monitor the logs, but I’m really concerned about it happening again. It’d be great if I could turn off image generation completely but it doesn’t look like you can do that without also turning off chat completions and moderations. If someone has any recommendations I’d greatly appreciate it.