I woke up to a bill that wasn't mine. Balance zeroed, burned on a model I don't use. Someone found my OpenRouter key in an exposed env variable and ran it dry.
That's it. No alert. No threshold. No "maybe check this." Just a zeroed balance and the lesson.
I know what you're thinking — rate limits. Secret audits. Budget caps. Yeah. Living in the real world doesn't always work that way. You push things, you trust the token in export OPENROUTER_KEY=sk-... stays where you left it. It doesn't. A scumbag finds it and your API key becomes their API key.
The annoying part isn't even the money. It's the rethinking. Where else am I exposed?
Then you go looking for help. It's not in the dropdown. Not within easy reach of credit history or billing. Not available to tired eyes at 3am when you're trying to figure out what the hell just happened. There's no button to report. No obvious kill switch. Just the knowledge base telling you to be more careful.
I'm not dropping an X message. Don't care to waste even more time. Support shouldn't be optional. A spending cap should be obvious. An alert for a 3000% spike should exist by default. The "report abuse" button shouldn't require a site drill.
None of that was there. So I took the hit, added a hard limit, scrubbed my env files, moved on.
The scumbag? Nobody. They sweep keys from GitHub repos and deployment logs a hundred times a day. I'm not going to find them.
But I'm going to have a spending cap next time.
Top comments (0)