Recently, a script kiddie has been banned for sharing the stolen OpenAI API keys with many users on Discord for the r/ChatGPT subreddit.
Developers can seamlessly incorporate OpenAI’s language model, GPT-4, into their applications using API keys.
Oftentimes, developers unintentionally leave their keys embedded in their code, creating an opportunity for account theft that can be exploited with minimal effort.
The individuals who possess the stolen API keys can effectively deploy GPT-4 while accumulating charges for its users under the compromised OpenAI account.
Starting from March or even earlier, a user named “Discodtehe” has been skillfully extracting API keys from the source code shared on Replit, the software collaboration platform.
Discodtehe acquired unauthorized access to a highly valuable OpenAI account, which boasted a usage limit of $150,000.
On r/ChimeraGPT, the individual generously distributed complete unrestricted access to the GPT-4 and GPT-3.5-turbo, leading to a community of over 700 members who promptly accumulated usage charges on compromised accounts. Motherboard report says.
How the hacker obtained entry underscores a significant security concern that paid users of OpenAI should carefully evaluate.
There has been a noticeable surge in the usage of at least one stolen OpenAI API key in the past few days by “Discodtehe.”
Several screenshots were shared, depicting the progressive account usage increase over time. A recent screenshot reveals that the current month’s usage amounts to $1,039.37 out of the total allocation of $150,000.
However, Discodtehe has been extracting vulnerable API keys for extended periods. Discodtehe didn’t stop at scraping tokens; it went a step further.
According to Vice’s findings, in March, Discodtehe openly boasted about their exploit and stated:-
“I recently scraped repl.it and uncovered more than 1000 functional OpenAI API keys. Remarkably, I didn’t even conduct a comprehensive scrape; I roughly examined around half of the results.”
Discord and Reddit cannot trace the existence of “Discodtehe.” But, the cybersecurity analysts stressed the ongoing risk posed by the multitude of exposed API keys.
The Oligo Research team has disclosed a critical vulnerability in Meta’s widely used Llama-stack framework.…
INE Security, a leading global provider of cybersecurity training and certifications, today announced a new…
In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a colleague…
A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a grave…
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS) advisories…
A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with a…