[email protected] +49 2486 2379991
DE / EN

One Stolen API Key Costs More Than a Company Car

April 24, 2026 By Raimund Bauer Category: API Security
← Back to Blog

Setting a spending limit does not mean you are protected.

Not on OpenAI. Not on Google. Probably not on the one you are using right now.

My own billing incident

On March 17, 2026, I had my own billing incident with OpenAI. Mine was only $80. Others were not that lucky.

The tier system almost nobody knows about

OpenAI has five spending tiers. Tier 5 allows $200,000 per month. Upgrades happen automatically — without asking you.

They call it a hard limit. It became a notification. Without asking you.

$120 limit set

A developer configured a hard limit of $120. He was charged over $3,000. Got no refund.

$82,314 overnight

Another developer lost $82,314 in a single night after his Gemini API key was compromised. Also got no refund.

Automatic tier upgrades

OpenAI automatically upgrades accounts once certain spending thresholds are reached — without explicit consent.

Refund policy changed

Since October 2025, OpenAI declines refunds for accidental overcharges, stolen keys, and system errors.

What you should do right now

Check which tier your OpenAI account is on today. It takes 30 seconds: log in at platform.openai.com → Settings → Billing → Usage limits.

Also check whether your API keys are exposed in Git repositories, CI/CD pipelines, or public code snippets. A stolen key gets abused within minutes.

The most important takeaway

A spending limit is not a guarantee. It is a guideline. You feel the difference when the invoice arrives.

Sources

  1. OpenAI Rate Limits & Tier System (official documentation)
    The official docs explain how automatic tier upgrades work and what spending limits apply at each level:
    platform.openai.com/docs/guides/rate-limits/usage-tiers
  2. Tier 5 = $200,000/month (OpenAI Community Forum, verified)
    Community thread confirming the Tier 5 spending ceiling with no guardrails:
    community.openai.com – Tier 5 thread
  3. Hard limits quietly removed (Hacker News, October 2025)
    Discussion thread documenting when OpenAI changed hard limits to notifications:
    news.ycombinator.com/item?id=45589628
  4. $120 limit — $3,000+ charged (OpenAI Community Forum)
    Developer report: hard limit configured, still massively overcharged, no refund:
    community.openai.com – Stolen key thread
  5. OpenAI refund policy change (WinBuzzer, October 25, 2025)
    OpenAI ended refunds for accidental overcharges, stolen keys, and system errors:
    winbuzzer.com – OpenAI refund policy
  6. Gemini API key — $82,314 overnight (The Register, March 3, 2026)
    Developer's key compromised, Google declined refund:
    theregister.com – Gemini $82,314
  7. Google's unprotected API keys (Heise Online, 2026)
    Heise reports on the structural security problem with unprotected Google API keys:
    heise.de – Google API keys
  8. Gemini incident and startup insolvency (WinFuture, 2026)
    winfuture.de – Gemini Startup

Want to review API security in your organisation?

I help you manage API keys securely and minimise billing risks. No-obligation initial consultation.

Get in touch