Cyber Criminals Sharing GPT-4 API Keys for Free

Recently, a script kiddie has been banned for sharing the stolen OpenAI API keys with many users on Discord for the r/ChatGPT subreddit.

Developers can seamlessly incorporate OpenAI’s language model, GPT-4, into their applications using API keys.

Oftentimes, developers unintentionally leave their keys embedded in their code, creating an opportunity for account theft that can be exploited with minimal effort.

The individuals who possess the stolen API keys can effectively deploy GPT-4 while accumulating charges for its users under the compromised OpenAI account.

Sharing GPT-4 API Keys for Free

Starting from March or even earlier, a user named “Discodtehe” has been skillfully extracting API keys from the source code shared on Replit, the software collaboration platform.

Discodtehe acquired unauthorized access to a highly valuable OpenAI account, which boasted a usage limit of $150,000.

On r/ChimeraGPT, the individual generously distributed complete unrestricted access to the GPT-4 and GPT-3.5-turbo, leading to a community of over 700 members who promptly accumulated usage charges on compromised accounts. Motherboard report says.

How the hacker obtained entry underscores a significant security concern that paid users of OpenAI should carefully evaluate.

There has been a noticeable surge in the usage of at least one stolen OpenAI API key in the past few days by “Discodtehe.”

Several screenshots were shared, depicting the progressive account usage increase over time. A recent screenshot reveals that the current month’s usage amounts to $1,039.37 out of the total allocation of $150,000.

However, Discodtehe has been extracting vulnerable API keys for extended periods. Discodtehe didn’t stop at scraping tokens; it went a step further.

According to Vice’s findings, in March, Discodtehe openly boasted about their exploit and stated:-

“I recently scraped and uncovered more than 1000 functional OpenAI API keys. Remarkably, I didn’t even conduct a comprehensive scrape; I roughly examined around half of the results.”

Discord and Reddit cannot trace the existence of “Discodtehe.” But, the cybersecurity analysts stressed the ongoing risk posed by the multitude of exposed API keys.

Stop Advanced Email Threats That Target Your Business Email – Try AI-Powered Email Security


BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

WordPress POP Chain Flaw Exposes Over 800M+ Websites to Attack

A critical remote code execution vulnerability has been patched as part of the Wordpress 6.4.2 version. This vulnerability exists in…

23 hours ago

Russian Star Blizzard New Evasion Techniques to Hijack Email Accounts

Hackers target email accounts because they contain valuable personal and financial information. Successful email breaches enable threat actors to:- Identity…

1 day ago

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid detection by antivirus programs, making it…

2 days ago

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative targets.  Outlook vulnerabilities offer:- Access to…

2 days ago

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been discovered. This vulnerability can be exploited…

3 days ago

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in multiple products. The CVEs for these…

3 days ago