My API key leaked on GitHub — what do I do?

It takes 60 seconds for someone to find your leaked API key. Here's the 10-minute plan.

You commit your code. You go to bed. Overnight, a scraper running in some basement picks up your OpenAI key. By morning, your bill is $4,200. Your account is rate-limited. You're not sure how it happened, or how to stop it.

What happens next

  1. Minute 0 — you commit the key

    The key hits GitHub. GitHub's own secret-scanning sometimes catches it; sometimes not. Either way, automated scrapers index every public commit within seconds.

  2. Minute 1-5 — attackers validate

    The attacker runs a quick test against the vendor's API to confirm the key works and check its permissions. If it's valid, they add it to their queue.

  3. Minute 5-60 — attackers use the key

    For OpenAI / Anthropic keys: inference until the spend cap trips. For AWS / GCP: spin up GPU miners. For Stripe: issue refunds or pull customer metadata.

  4. Hour 1-24 — you wake up and see the damage

    A vendor notification, a billing alert, or a usage spike tips you off. By now the attacker has extracted whatever value the key enables.

Without Securie

You manually hunt through git history trying to remember which commit had the key. You manually rotate the key and update every environment. You manually call your vendor's fraud team and hope they reimburse. Total time: a weekend. Total cost: $4,200 (or whatever your spend cap was).

With Securie

Securie flags the key the moment it's pushed, before you even go to bed. An auto-fix PR opens that removes the key from the repo, and a rotation workflow is proposed with the exact vendor-console steps.

Exactly what to do right now

  1. Revoke the key at the vendor's dashboard immediately (platform.openai.com → API keys → Revoke)
  2. Create a replacement key with the minimum permissions needed
  3. Update every environment — Vercel, Netlify, GitHub Actions, .env.local on every machine
  4. Search git history: `git log --all -p | grep -E 'sk-(proj-)?[a-zA-Z0-9]{40,}'`
  5. Contact the vendor's fraud team within 24 hours if the key was used
  6. Install Securie so this does not happen again