Something hacked my account

I received over 100 dollars worth of charges in one day within a small amount of time.

What options do I have? I didn’t initiate this? Right now. I’ve created a new api key and deleted the automatic billing for now until I can hear something on this.

1 Like

You’ll need to contact OpenAI directly. This is the community forum

I tried every avenue including this forum and I guess I will wait and see what they say when they see my card doesn’t work.

1 Like

Same story here. Someone is hacking my accout and using GPT4. Even changed my usage limit

1 Like

You can try to enable 2FA as well
I guess they only recently added it

I guess its only possible to set it in chatGPT
But I was just logging into my API/platform and it also asked me for the code

If you think your API key might have been leaked, please rotate your API key immediately in your API key settings .

More details on: How can I report fraud or suspicious activity?

2 Likes

I agree with @AlexDeM. It is possible you put your API in a frontend app, or maybe you pushed it in a public github repo by accident. The only real remedy for this is to disable the key and start a new one.

As a note. You should be putting your API key behind something like a server. So your OpenAI application lives on a server, like on a free render.com instance, and the frontends talk to your server rather than the OpenAI server directly. This keeps your key safe on your server at all times. Additionally, if it was leaked in your github repo, either as a hardcoded value or something else, make sure it is in some sort of environment file (JSON for C#, .env, JSON, or text for python, and .env for JavaScript). Then, in your .gitignore file, just make sure to include that file in there so it never pushes to the repo.

If you have already taken these two precautions, then it is something more sophisticated and you should change passwords to your development and communication accounts as a precaution.

One other possible alternative is that you are using something like baby agi or auto gpt with no token or rate limiting and it just chewed through your limit pretty quick.

2 Likes

Yes I have just been hacked too. Luckily I was monitoring responses through an API log that I had created, then all of a sudden was getting a deluge of prompts that were not from me! And get this, the prompt logged the source of the request, and it was from ALIBABA china. I immediately reset my key, and luckilly have set a low spend limit anyway (WHICH IS A GOOD IDEA BY THE WAY). I have absolutely no idea how they intercepted the key as mine is not public, so could it have been hacked from the openai end? Developers if you read these posts. Take immediate action! For your benefit snippet of prompt:

  • Copyright (C) 2015-2018 Alibaba Group Holding Limited
    */

#include “iot_import.h”
#include “iot_export.h”
#include “app_entry.h”

1 Like