News

For the sake of access to GPT-4, people steal poorly protected API keys

Security Parrot Editorial Team

OpenAI API Keys Stolen and Advertised on Discord

Journalists have noticed an increase in the advertisement of stolen OpenAI API tokens on the Discord server of the r/ChatGPT subreddit. These tokens are extracted from alien code and allow people to use GPT-4 without paying for it, as the charges are deducted from someone else’s account.

Stolen OpenAI Account with $150,000 Usage Limit

According to Vice Motherboard, a stolen OpenAI account with a usage limit of $150,000 is being distributed for free through the site and a dedicated Discord server, which has more than 500 members.
OpenAI requires people and companies that want to use their language models (including GPT-4) in their developments to create an account and link a bank card to it. They will then be given a unique API key that will allow them access to all the tools they need.

API Keys Discovered Through Scraping

API keys can be discovered using scraping. For example, user Discodtehe scraped the site Replit (repl.it), which allows coders to work together on various projects. In many cases, the authors of the code posted on the site did not even realize that their OpenAI API keys were in the public domain and are now available to third parties.
Discodtehe wrote on the r/ChatGPT Discord server that his account was still not banned even after he did this. He also said that if enough people join, OpenAI won’t be able to ban them all.
The use of at least one stolen Discodtehe API key has increased markedly in the past few days. For example, some screenshots show that this month was used up about $1,039.37 out of the $150,000 limit.
Discodtehe has been scraping keys for quite some time now, considering key thefts to be “just borrowing”. Back in March 2023, he wrote on Discord that he found more than 1000 working API keys on repl.it, having looked at only half of the results.

Replit to Review Token Scanning System

When journalists contacted Replit to report the issue, General Counsel and Head of Business Development Cecilia Ziniti (Secrets, Ziniti) said that “users are responsible for the safety of their tokens and should not store them in public code.” Replit already scans projects for popular types of API keys (such as GitHub), and they will be reviewing their token scanning system to ensure that users are alerted to the possibility of accidentally exposing ChatGPT tokens.
Discodtehe went beyond just parsing tokens for themselves and friends. On another Discord server called ChimeraGPT, he offers everyone “free access to GPT-4 and GPT-3.5-turbo”. In one post, he reveals that ChimeraGPT is

Share this Article
Exit mobile version
Lost your password?