What happens when your OpenRouter key gets stolen? Nothing. Then you move on.
Dev.to / 6/16/2026
💬 OpinionSignals & Early TrendsIndustry & Market Moves
Key Points
- The author’s OpenRouter API key was exposed via an environment variable, leading to unauthorized usage that drained their balance with no warning or alerts.
- The incident revealed gaps in OpenRouter’s security/UX, such as missing automatic spending caps, threshold-based alerts, and an easy way to report abuse or trigger a kill switch.
- After realizing they had limited visibility into what happened—no straightforward support path or billing UI controls—they focused on mitigation rather than pursuing the attacker.
- The author suspects the attacker automated key harvesting from sources like GitHub repos and deployment logs, making it unlikely they can be identified.
- The takeaway is to proactively reduce risk next time by enforcing hard spending limits, cleaning environment files, and generally tightening secret-handling practices.
Continue reading this article on the original site.
Read original →
