My OpenAI Key Got Stolen From a JS Bundle

A bot scanned my test subdomain, found an OpenAI API key sitting in the frontend JS bundle, and burned through the entire balance in a single day. I lost $6. Here's exactly what happened and what I changed.

How It Happened

I had a test environment running on a subdomain. No links to it anywhere — just a staging setup while the client was on pause for a month.

That doesn't mean it's invisible. Bots scan subdomains constantly. One found it.

The project had an OpenAI integration on the frontend. The API key was embedded directly in the JavaScript bundle, accessible to anyone who opened DevTools or ran a simple scrape.

When I got a notification that my OpenAI API balance was empty, I checked the usage stats. Everything was spent in a single day on that one test project.

What I Already Had Right

The damage was limited because of a few habits:

• Separate keys per project — the stolen key only affected this one project
• Spending limits per key — capped the loss at $6
• No shared credentials — nothing else was exposed

These habits didn't prevent the incident, but they contained it.

What I Changed

The obvious fix: API keys for external services should never appear in frontend code. Move them to a backend proxy or serverless function that handles requests server-side.

The broader lesson: a test environment with no external links is not a private environment. If it's on a public subdomain, assume it will be found.

If a project is paused, either take it down or strip out any live credentials.

The Takeaway

You can run security checks, keep keys out of git, and think you've covered everything — and still miss something obvious. The AI wrote the insecure code. I reviewed it. I missed it.

Don't relax just because you have habits. Audit periodically, especially before leaving anything running unattended.

Running AI integrations in your product and want a second set of eyes on the security setup? Get in touch →