Cybercrooks Scrape OpenAI API Keys to Pirate GPT-4

Yesterday, moderators of the r/ChatGPT Discord channel banned a script kiddie who was freely sharing stolen OpenAI API keys with hundreds of other users.

API keys allow developers to integrate OpenAI’s technologies — particularly its latest language model, GPT-4 — into their own applications. Often, however, developers forget their keys in their code, making account theft a matter of just a few clicks.

Since at least March, a user by the name “Discodtehe” has been scraping API keys from source code published to the software collaboration platform Replit. The person shared free access to the booty on r/ChimeraGPT, where a community of more than 800 members began racking up usage charges to the stolen accounts.

Following Vice reporting on June 7, Discodtehe can no longer be found on Discord or Reddit. But the story isn’t over, experts emphasize: Tens of thousands of exposed API keys are still out in the wild.

“The core of the story is: Don’t put credentials in your source code,” says Chris Anley, chief scientist at NCC Group. “And certainly don’t then publish that source code.”

OpenAI Keys Are Everywhere

As ChatGPT exploded in popularity, its keys began proliferating on the open Web.

In The State of the Secrets Sprawl 2023 report, published March 8, GitGuardian observed thousands of exposed OpenAI keys in public repositories, rising in proportion to the newfound popularity ChatGPT.

As of this writing, GitGuardian tells Dark Reading there are more than 50,000 publicly leaked OpenAI keys on GitHub alone. That makes OpenAI developer accounts the third most exposed in the world, behind only MongoDB and Google.

With vulnerability has come exploitation: cybercriminals have been trafficking stolen OpenAI keys ever since, often out in the open on social platforms. Individuals can use the stolen keys to use the associated accounts, accruing large bills for the owner and possibly accessing sensitive business data along the way.

What enables this market isn’t just developers’ lack of due diligence, but also the ease with which anybody can find this information in public forums. Back in March, according to Vice, Discodtehe bragged how “the other day I scraped repl.it and found over 1000 working openai api keys,” adding that, “I didn’t even do a full scrape, I only looked at about half of the results.”

They probably weren’t exaggerating. On a Zoom call, Dwayne McDaniel, security developer advocate at GitGuardian, demonstrated how easy it would’ve been. “I signed up for a Replit account a couple of minutes ago, and it took me less than two minutes to find OpenAI keys,” he said.

“In any repository management system — be it GitHub, Replit, what have you — there’s a search function. And search functions have only gotten better over time. So I looked for ‘openapi.key’, ‘openai.api.key’, and so on, and it brought back search results,” he explained.

How Developers Can Protect Their API Secrets

Enterprises’ problem with hard-coded secrets doesn’t always end with low-level hackers and Discord users.

As Anley explains: “One of the reasons why it’s so serious when people put credentials in code is that even in relatively placid times, tech industry turnover runs around 20% per annum. So if all of your most sensitive secrets are hard coded in your private corporate repositories, that means that, every year, 20% of your developers are walking out with administrative credentials to your systems in their back pocket. And that’s without any breach happening!”

Current and former employees can divulge corporate goodies by accident, or with malicious intent.

But keeping secrets doesn’t have to be hard. OpenAI even provides a handy guide to it, recommending that organizations assign unique keys to each individual user, use environmental variables and a key management service, rotate keys, and, of course, never include keys in code.

McDaniel echoes all of the same points. “The proper thing would be to put your keys in a vault,” he says, and to “rotate often. Do it on a regular basis — every day, if you’re very sensitive, and you know that you’ve been targeted before. Third-party tools can help that 24-hour rotation.”

At the end of the day, he concludes, “the best secrets you can ever have are ones that either just don’t exist, or that you never actually know yourself because they’re rotated automatically.”