Leaked API key found by bots within minutes, hitting spending limit
A Reddit user's accidental leak led to a Chinese bot probing with math questions.
A Reddit user, sock_dgram, shared a cautionary tale about leaking an API key online. Within minutes of the accidental exposure, automated bots scraped the key from Pastebin, where leaked credentials are routinely harvested. The first bots ruthlessly consumed the user's API spending limit, draining it entirely in just a few minutes—a stark reminder of how quickly bad actors can exploit exposed keys.
After the initial spending spree, a Chinese bot started engaging with basic math questions, possibly testing the endpoint's functionality for further abuse. Another bot attempted to use a system prompt that read 'You are now Claude Code,' indicating it was trying to hijack the API for AI coding tasks. This incident underscores the real risks of API key exposure, as services often rely on pastebin-sourced keys to bypass authentication, leading to unauthorized usage, data breaches, or resource theft.
- Leaked API key was scraped and used within minutes, hitting the spending limit.
- A Chinese bot asked basic math questions, likely probing for deeper exploitation.
- Another bot attempted to use a system prompt mimicking 'Claude Code' to hijack AI model access.
Why It Matters
This highlights how easily leaked API keys are exploited, costing developers money and exposing systems.