Left my OpenAI key in a public GitHub repo for 11 minutes. That was enough.

Classic rookie mistake, I know. I KNOW.

I was pushing a quick prototype to GitHub to share with a friend. I hardcoded my OpenAI API key in a config file. I realized my mistake about 11 minutes after pushing and immediately revoked and rotated the key.

In those 11 minutes, someone — presumably a bot scanning GitHub for exactly this — had grabbed the key and used it to:

- Generate approximately 4 million tokens using GPT-4 - Spin up a batch job that appeared to be training some kind of data extraction pipeline - Rack up $312 in charges

OpenAI support was actually really helpful and waived the charges after I explained what happened. But the 40 minutes I spent on that support chat were deeply humbling.

I now use environment variables. And `.gitignore`. And I double-check before every push like someone with a healthy anxiety disorder.