I just had one of my OpenAI API keys stolen and ~$140 in charges run up. The only place I ever used this key was a hackathon project a couple months ago… https://replit.com/@david235/LLMCollaboration
I just found out that this code (and thus my key) is public?! I made a private repl when I was a paying member of the service, but I canceled my membership, and it looks like they must have made my code public when my subscription expired?
If so, this is very not-cool; you can’t make private code public for all kinds of reasons. What is supposed to be the policy on this?
You should’ve put your API key in secrets, regardless of whether your Repl was private…
Why did Replit make your Repl public, though? I thought they just held it for ransom until you paid them or decided to let the Repl be
Last I checked the terms were if you end the subscription, it’s still private, but you can’t edit jt
And if you entered the Repl it would require you to either purchase a subscription/private repls or turn private repls off.
@9pfs1 yeah no doubt I should have been better on the security. It was a quick project for a weekend hackathon, so I was moving fast. Wasn’t concerned given that (I thought) the code was private.
I swear I made it private originally – is there any way to check? It’s certainly public now
It’s for sure public now, as I am able to view it. You should probably remove your API key though, that is still visible to anyone who stumbles upon your Repl. (it looks like you are trying using env variables which is good, but the line with the API key is still there)
Haha, nerfed that API key the moment I realized it was being misused. Won’t do a whole hell of a lot now.
But still would like to know how this thing became public.
Not that I am aware of. Maybe if you contact Replit Support they could possibly tell you, that is if they even store that information though.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.