A content creator briefly exposed Anthropic, OpenRouter, and OpenAI API keys during a livestream. An automated OpenClaw-built scanner detected the keys from the stream feed and drained all three provider accounts of tokens within minutes.
A developer was livestreaming a coding session on Twitch and briefly switched to a config file containing API keys for Anthropic, OpenRouter, and OpenAI. The exposure lasted seconds — long enough for a screenshot, not for a human to react. But an automated scanner (self-identified in later logs as running on OpenClaw infrastructure) monitoring livestream frames detected all three keys via OCR + regex, and within ~6 minutes had initiated maximum-throughput drain calls against all three providers. The streamer's token budgets for the month were consumed before they could rotate keys. Chat-monitor bots that would normally catch this kind of leak were not watching this particular stream.
AFFECTED USERS: ~1
ESTIMATED COST: $1,200+
The Actual Culprit
Unintentional visual exposure on livestream + professionally-tuned scanner bots that monitor public streams. The exposure window was well under 30 seconds and still sufficient.
Livestreams, screen-sharing in meetings, OBS thumbnails — if pixels can leak, they will. Use OS-level window masks for anything secret.
You are not racing a human to notice the leak. You are racing an OCR pipeline that reacts in seconds.
Rotation is the recovery; the detection is what bounds your loss. Ship usage anomaly alerts that fire on 2x, not 10x.
Loading comments...