Cybercriminals Steal OpenAI API Keys to Pirate GPT-4

A cybercriminal group has been using stolen OpenAI API keys to exploit the popular language model, GPT-4. Developers mistakenly leave their keys in their code, which leaves them vulnerable to theft. The group has been scraping these keys from source code published on the software collaboration platform, Replit, since at least March. The group then shares the access they gain for free on social platforms, enabling users to accrue large bills and potentially access sensitive business data. In a report released in March, GitGuardian observed a rising number of exposed OpenAI keys in public repositories. This follows the increasing popularity of ChatGPT, which has led to a proliferation of keys on the open Web. As of now, GitGuardian states that over 50,000 publicly leaked OpenAI keys can be found on GitHub alone. This leaves OpenAI developer accounts as the third most exposed in the world. The problem’s severity doesn’t end with low-level hackers and Discord users, as employees with access to this sensitive data can potentially divulge it by accident or with malicious intent. The best way to protect against this is for organizations to assign unique keys to each user, use environmental variables and a key management service, rotate keys often, and never include keys in code. The best approach is to have secrets that are either nonexistent or are rotated automatically, according to experts.