Recently, a script kiddie has been banned for sharing the stolen OpenAI API keys with many users on Discord for the r/ChatGPT subreddit.
Developers can seamlessly incorporate OpenAI’s language model, GPT-4, into their applications using API keys.
Oftentimes, developers unintentionally leave their keys embedded in their code, creating an opportunity for account theft that can be exploited with minimal effort.
The individuals who possess the stolen API keys can effectively deploy GPT-4 while accumulating charges for its users under the compromised OpenAI account.
Sharing GPT-4 API Keys for Free
Starting from March or even earlier, a user named “Discodtehe” has been skillfully extracting API keys from the source code shared on Replit, the software collaboration platform.
Discodtehe acquired unauthorized access to a highly valuable OpenAI account, which boasted a usage limit of $150,000.
On r/ChimeraGPT, the individual generously distributed complete unrestricted access to the GPT-4 and GPT-3.5-turbo, leading to a community of over 700 members who promptly accumulated usage charges on compromised accounts. Motherboard report says.
How the hacker obtained entry underscores a significant security concern that paid users of OpenAI should carefully evaluate.
There has been a noticeable surge in the usage of at least one stolen OpenAI API key in the past few days by “Discodtehe.”
Several screenshots were shared, depicting the progressive account usage increase over time. A recent screenshot reveals that the current month’s usage amounts to $1,039.37 out of the total allocation of $150,000.
However, Discodtehe has been extracting vulnerable API keys for extended periods. Discodtehe didn’t stop at scraping tokens; it went a step further.
According to Vice’s findings, in March, Discodtehe openly boasted about their exploit and stated:-
“I recently scraped repl.it and uncovered more than 1000 functional OpenAI API keys. Remarkably, I didn’t even conduct a comprehensive scrape; I roughly examined around half of the results.”
Discord and Reddit cannot trace the existence of “Discodtehe.” But, the cybersecurity analysts stressed the ongoing risk posed by the multitude of exposed API keys.