The latest articles on DEV Community by Fernando Flores (@selver). https://dev.to/selver https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3703385%2Fe367736f-d663-4432-a3ae-dae85d6daab5.jpeg https://dev.to/selver en Fernando Flores Fri, 16 Jan 2026 05:21:50 +0000 https://dev.to/selver/using-leaked-openai-api-keys-it-seemed-like-a-good-idea-until-it-wasnt-3537 https://dev.to/selver/using-leaked-openai-api-keys-it-seemed-like-a-good-idea-until-it-wasnt-3537 <p>I had one week to deliver a project: a voice-based virtual assistant for desktop with artificial intelligence.</p> <p>Tigh deadine, high expectations, and important detail: <strong>zero budget</strong>.</p> <p>Building an AI from scratch in a week wasn't realistic, so I took the obvious route: using the OpenAI API. It worked greate... until I checked the pricing. For a school project, paying didn't sound very appealing.</p> <p>So I did what many students under pressure would do: I started looking for alternatives.</p> <h3> The "creative" solution I found on Github </h3> <p>While digging through Github, I came across a repository called "<strong>ChatGPT-API-Scanner</strong>". really liked the name, i found my solution...</p> <p>The repository contained a Python script that performs web scraping across GitHub, specifically scanning <code>.env</code> files to find publicly exposed API kets. In other words, it looks for repositories where someone accidentally committed their key.</p> <p>It sounds bad. Technically, it is, but that's where the uncomfortable question show up: </p> <blockquote> <p>If someone expose their API key publicly, is using it still stealing?</p> </blockquote> <p>I'm not justifying it, but when you're on a deadline, the line doesn't feel as clear as it should.</p> <h3> The reality behind "free" API keys </h3> <p>Running the script isn't fast. Each execution takes around <strong>1 to 2hrs</strong>. On average, it finds about 10 API keys, but only around 4% of them actually work.</p> <p>In plain terms, each run gives you 0.4 usable keys.</p> <p>On paper, it sounds acceptable. After a few runs, something should work. And yes... sometimes it does.</p> <p>The first key I found worked for <strong>five days</strong>. The project was going well, the assistant responded correctly, testing was smooth. It felt like I had hack the system</p> <h3> When everythinh breaks </h3> <p>One day before the deadline, the API key stopped working, <strong>Expired</strong>. No warning. No mercy.</p> <p>I panicked, ran the script again, waited another eternity, and found a new key. This one worked... <strong>for four hours</strong>.</p> <p>The project was due that same day. There was no backup plan.</p> <p>I ended up buying an official OpenAI API key at the last possible moment.</p> <h3> So... was it worth it? </h3> <p>On paper, using leaked API keys looks like a smart move: not cost, "it works", no one notices</p> <p>In reality, you lose a lot of hours, it's unrealiable, your project depends on something that can die at any moment, and the stress isn't worth it.</p> <p>Beyond ethics, there's one key lesson I learned the hard way "Free becomes expensive when you depend on it"</p> <p>I didn't pay for the API because it was the right thing to do. I paid because <strong>it was the only reliable option</strong>.</p> <h3> It was ok? </h3> <p>Is it ethical to use publicly exposed API keys?<br> Is the fault on the person who leaked it, or the one who uses it?<br> Is saving a few dollars worth risking your entire project?</p> <p>I don’t have a definitive answer.<br> But after going through this, one thing is clear to me: if your project matters, don’t build it on something you don’t control.</p> <p>Sometimes paying isn’t a luxury.<br> It’s simply the least painful option.</p> ai openai beginners learning