What happens if someone steals your API key?
It depends entirely on what the key can do. A read-only analytics key is annoying; an AWS root or sk_live_ Stripe key can become expensive and legally messy fast. Below is a realistic map — not fear-mongering — so you prioritize revocation and monitoring correctly.
1. Generic attack patterns
| Pattern | What attackers do |
|---|---|
| API abuse | Call paid endpoints (LLM, maps, SMS) on your bill |
| Data exfiltration | Read customer records, storage buckets, mail |
| Infrastructure | Spawn VMs, crypto-mine, send spam |
| Supply chain | Publish packages, change CI, add malicious code |
2. Cloud provider keys (AWS, GCP, Azure)
Symptoms: unexpected resources, billing spikes, IAM user creation, new access keys.
Actions:
- Revoke key or disable IAM user immediately.
- CloudTrail / Activity logs — trace first use time (helps post-mortem).
- Contact cloud support for billing disputes — not guaranteed forgiveness.
AWS: Best practices for managing AWS access keys.
3. Payment providers (Stripe, etc.)
Symptoms: fraudulent charges, new customers, payout changes, webhook tampering.
Actions:
- Roll secret and webhook signing keys per rotate API keys.
- Stripe Dashboard → Radar / logs for suspicious activity.
- Notify fraud team per internal policy.
Stripe security practices: Stripe security.
4. Developer platform tokens (GitHub, GitLab)
Symptoms: new repos, malicious commits, workflow changes exfiltrating secrets.
Actions:
- Revoke PAT / OAuth app.
- Review audit log / security tab for unauthorized access.
- Rotate any secrets that CI might have printed during malicious workflow runs.
GitHub: Reviewing your security log.
5. “Public” frontend keys (maps, analytics)
Often designed to be visible — risk is quota theft or misconfiguration. Fix with referrer restrictions, IP limits, separate keys per environment — frontend leaks.
6. Legal and compliance
If personal data was accessible: involve legal (GDPR breach notification timelines, contracts). This is not optional in many jurisdictions when thresholds are met.
7. Prevention on macOS
Reduce theft surface:
- Encrypted vault for dev keys: PassStore (Security).
- No prod keys on laptop.
- Git hygiene: keep secrets out of Git.