I just had one of my OpenAI API keys stolen and ~$140 in charges run up. The only place I ever used this key was a hackathon project a couple months ago… https://replit.com/@david235/LLMCollaboration
I just found out that this code (and thus my key) is public?! I made a private repl when I was a paying member of the service, but I canceled my membership, and it looks like they must have made my code public when my subscription expired?
If so, this is very not-cool; you can’t make private code public for all kinds of reasons. What is supposed to be the policy on this?
You should’ve put your API key in secrets, regardless of whether your Repl was private…
Why did Replit make your Repl public, though? I thought they just held it for ransom until you paid them or decided to let the Repl be
public.
@9pfs1 yeah no doubt I should have been better on the security. It was a quick project for a weekend hackathon, so I was moving fast. Wasn’t concerned given that (I thought) the code was private.
I swear I made it private originally – is there any way to check? It’s certainly public now
It’s for sure public now, as I am able to view it. You should probably remove your API key though, that is still visible to anyone who stumbles upon your Repl. (it looks like you are trying using env variables which is good, but the line with the API key is still there)