Leaked Stripe secret key — what you owe the attacker

Your live Stripe secret key grants full access to your Stripe account — create charges, issue refunds, pull customer data. Rotation is immediate; fraud reversal depends on how fast you rotated and what the attacker did.

The next 60 seconds matter

The attacker issues refunds to attacker-controlled cards (Stripe's refund target depends on the key's scope), pulls customer PAN metadata, and creates new charges to laundered test card numbers. Stripe's fraud-detection heuristics catch about 70% of this within hours — but 30% goes through.

  • Issue refunds to the attacker (if the key permits)
  • Pull last-4 and brand of every customer's card
  • Read the last 90 days of charge metadata
  • Create test-mode data to confuse audit trails

Rotation playbook

  1. Dashboard → Developers → API Keys → Roll key
  2. Every downstream system that used the old key will begin failing immediately — plan rollout
  3. Contact Stripe Support via dashboard for a fraud audit
  4. Enable restricted keys for any non-core operation (webhooks, read-only reporting)

Prevent the next one

  • Use Stripe restricted keys (rk_live_*) with minimum permissions wherever possible
  • Webhook endpoints use a separate endpoint-secret, not the main secret key
  • Never embed secret key in client bundle — the publishable key (pk_live_*) is the one for client
  • Stripe's CLI tool supports local development without touching the live key
Pattern we scan for
sk_live_... (107 chars) or rk_live_... restricted key