8,000+ ChatGPT API Keys Left Publicly Accessible

The rapid infusion of generative AI into everyday software has outpaced the security discipline that protects traditional cloud assets. Researchers at Cyble identified thousands of hard‑coded OpenAI tokens lingering in public GitHub commits, forks, and archived projects, as well as in front‑end bundles of live websites. Because these keys are indexed by automated scanners within minutes, the window between exposure and exploitation shrinks dramatically, turning a simple coding oversight into a systemic vulnerability.

Once harvested, the tokens act like privileged passwords, granting unrestricted access to OpenAI’s inference engines, billing accounts, and usage quotas. Threat actors weaponize them to run massive language‑model workloads, craft phishing campaigns, and even assist malware development, all while evading conventional SIEM alerts that rarely ingest AI‑API telemetry. The financial impact can be immediate—billing spikes and quota exhaustion reveal the abuse only after significant spend, leaving organizations to scramble for refunds and reputational repair.

Mitigating this emerging risk requires extending established secret‑management practices to AI credentials. Organizations should treat LLM API keys as high‑value secrets, storing them in vaults, rotating them regularly, and scanning code repositories with dedicated credential‑leak detectors. Additionally, integrating OpenAI usage logs into centralized monitoring platforms enables early detection of anomalous patterns. As AI becomes core infrastructure, vendors and standards bodies are beginning to offer dedicated tooling, but proactive governance remains the most effective defense against the growing tide of AI‑related credential abuse.