Recently, a script kiddie has been banned for sharing the stolen OpenAI API keys with many users on Discord for the r/ChatGPT subreddit.
Developers can seamlessly incorporate OpenAI’s language model, GPT-4, into their applications using API keys.
Oftentimes, developers unintentionally leave their keys embedded in their code, creating an opportunity for account theft that can be exploited with minimal effort.
The individuals who possess the stolen API keys can effectively deploy GPT-4 while accumulating charges for its users under the compromised OpenAI account.
Starting from March or even earlier, a user named “Discodtehe” has been skillfully extracting API keys from the source code shared on Replit, the software collaboration platform.
Discodtehe acquired unauthorized access to a highly valuable OpenAI account, which boasted a usage limit of $150,000.
On r/ChimeraGPT, the individual generously distributed complete unrestricted access to the GPT-4 and GPT-3.5-turbo, leading to a community of over 700 members who promptly accumulated usage charges on compromised accounts. Motherboard report says.
How the hacker obtained entry underscores a significant security concern that paid users of OpenAI should carefully evaluate.
There has been a noticeable surge in the usage of at least one stolen OpenAI API key in the past few days by “Discodtehe.”
Several screenshots were shared, depicting the progressive account usage increase over time. A recent screenshot reveals that the current month’s usage amounts to $1,039.37 out of the total allocation of $150,000.
However, Discodtehe has been extracting vulnerable API keys for extended periods. Discodtehe didn’t stop at scraping tokens; it went a step further.
According to Vice’s findings, in March, Discodtehe openly boasted about their exploit and stated:-
“I recently scraped repl.it and uncovered more than 1000 functional OpenAI API keys. Remarkably, I didn’t even conduct a comprehensive scrape; I roughly examined around half of the results.”
Discord and Reddit cannot trace the existence of “Discodtehe.” But, the cybersecurity analysts stressed the ongoing risk posed by the multitude of exposed API keys.
A critical remote code execution vulnerability has been patched as part of the Wordpress 6.4.2 version. This vulnerability exists in…
Hackers target email accounts because they contain valuable personal and financial information. Successful email breaches enable threat actors to:- Identity…
PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid detection by antivirus programs, making it…
Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative targets. Outlook vulnerabilities offer:- Access to…
An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been discovered. This vulnerability can be exploited…
Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in multiple products. The CVEs for these…