A script kiddie who was sharing stolen OpenAI API keys has been banned from r/ChatGPT Discord channel by moderators. API keys allow developers to integrate OpenAI’s technologies, including its latest language model, GPT-4, into their own applications. The user, known as “Discodtehe” has been scraping API keys from the source code published to the software collaboration platform Replit since March. The person shared free access to the stolen API keys on r/ChimeraGPT, where a community of over 800 members began racking up usage charges to the stolen accounts.
According to Vice reporting on June 7, Discodtehe can no longer be found on Discord or Reddit. However, tens of thousands of exposed API keys are still out in the wild. Cybercriminals have been trafficking stolen OpenAI keys out in the open on social platforms since they were exposed. Individuals can use the stolen keys to use the associated accounts, accruing large bills for the owner and possibly accessing sensitive business data along the way.
GitGuardian, a cybersecurity firm, observed thousands of exposed OpenAI keys in public repositories, rising in proportion to the newfound popularity of ChatGPT. As of now, GitGuardian says there are more than 50,000 publicly leaked OpenAI keys on GitHub alone. This makes OpenAI developer accounts the third most exposed in the world, behind only MongoDB and Google.
Chris Anley, the chief scientist at NCC Group, says that the core of the problem is to not place credentials in your source code. He further explains, “And certainly don’t then publish that source code.” In any repository management system — be it GitHub, Replit, what have you — there’s a search function. And search functions are now much better than before. It’s now easy to find “openapi.key,” “openai.api.key,” and so on.
GitGuardian has also shown that the enterprise’s issue with hard-coded secrets doesn’t always end with low-level hackers and Discord users. Even current and former employees can divulge corporate secrets accidentally or with malicious intent. One of the reasons why it’s so serious when people put credentials in code is that even in placid times, tech industry turnover runs around 20% per annum.
OpenAI provides a guide to safeguarding secrets. It urges organizations to assign unique keys to individual users, use environmental variables and a key management service, rotate keys, and never include keys in code. Dwayne McDaniel, security developer advocate at GitGuardian says, “the proper thing would be to put your keys in a vault.” McDaniel recommends to “rotate often. Do it on a regular basis — every day, if you’re very sensitive and know that you’ve been targeted before. Third-party tools can help that 24-hour rotation.”
In conclusion, individuals and organizations should take steps to secure their API keys. They should not place their credentials in their source code, and they should rotate their keys often. This way, they can prevent cybercriminals from stealing their API keys and accessing sensitive data. Developers should also provide proper guidance and education to users on how to secure their API keys, and users must take responsibility and safeguard their own data.