Bill Hartzer

GoDaddy Airo: Register your .com domain name today!
Home » AI » Vibe Coding Got His Site Hacked—and the Attackers Spent His API Credits Overnight

Vibe Coding Got His Site Hacked—and the Attackers Spent His API Credits Overnight

Posted on Written by Bill Hartzer

vibe coding api charges

Waking up to a pile of unexpected charges is a special kind of panic. One builder, Paul with Search Quality Rater, learned that the hard way after his vibe-coded website was hacked and attackers burned through API credits like there was no tomorrow. Hundreds of dollars gone before breakfast. No viral success story. No traffic spike. Just abuse.

It’s a brutal lesson, but it’s also an increasingly common one. Vibe coding has lowered the barrier to shipping. It has also raised the odds that something important gets exposed along the way. And attackers know exactly what to look for.

Why Vibe-Coded Projects Get Into Trouble

Speed is the whole point. Security often becomes “future me will handle it.” Then future you wakes up to receipts.

Many vibe-coded projects ship with the same predictable problems. API keys get pasted into front-end JavaScript. Authentication gets skipped because it “worked locally.” Default settings stay in place because nobody wants to touch configuration files. Monitoring is missing because it feels like a “later” task.

AI can generate working code. That does not mean it generates secure code. A tool can help you build a house fast, but it won’t magically install locks, cameras, and a fire alarm unless you ask for them and know how to verify the result.

Your API Key Is Basically a Credit Card Number

If there’s one idea to tattoo on your brain, it’s this: an API key is money. Treat it like a credit card number, not like a harmless token you can sprinkle around your codebase.

If a key is exposed, stolen, or leaked, an attacker can often use it immediately. They don’t need to “hack” in the Hollywood sense. They just need your key and an endpoint that accepts it. After that, your billing account becomes their snack bar.

How API Keys Get Leaked (Even When You Didn’t Mean To)

Most “API credit drain” incidents are painfully boring. That’s what makes them so dangerous.

  • Keys in client-side code: If your browser can see it, an attacker can see it.
  • Keys committed to Git: Public repos get scanned constantly. Private repos leak, too.
  • Keys in screenshots or screen recordings: People post “quick demos” and accidentally publish secrets.
  • Wide-open endpoints: No auth, no rate limits, no validation. A bot can hammer it all night.
  • Over-permissioned keys: One key does everything. So when it leaks, it really does everything.

Locking Down a Vibe-Coded Website: What to Do Right Now

You don’t need a security team to reduce risk. You need a short checklist and the discipline to use it every time you ship.

Move Paid API Calls to the Server

As a rule, paid or sensitive API calls should happen server-side. The flow should look like this: user makes a request to your server, your server calls the external API, your server returns the result.

This keeps keys off the client. It also gives you a choke point where you can enforce authentication, validate inputs, and block abusive patterns.

Restrict Where a Key Can Be Used

Most providers let you limit key usage. Use those controls. Even basic restrictions can turn a stolen key into a useless key.

  • Domain restrictions: Only allow requests from your approved domain(s).
  • IP restrictions: Only allow requests from your server IP(s).
  • Environment restrictions: Keep production keys in production. Use separate keys for dev and staging.

Give Keys the Minimum Permissions

If your key only needs one API, don’t give it access to five. If it only needs read access, don’t grant write access. Least privilege is boring, and boring is exactly what you want in security.

Add Authentication to Your Own Endpoints

If you created an endpoint that triggers API usage, protect it. Require user authentication where appropriate. Use signed tokens, sessions, or another proven method. Don’t rely on “security by obscurity” like hidden URLs.

Attackers don’t guess your endpoint. They discover it by crawling your site, reading your JavaScript, and watching network requests.

Rate Limit Everything That Can Cost You Money

Rate limiting is one of the simplest ways to stop credit-draining abuse. Put limits on requests per IP and requests per user account. Consider additional controls like cooldowns, CAPTCHA challenges, or temporary blocks when behavior looks automated.

Even if an attacker finds a way in, rate limits can keep “hundreds of dollars overnight” from becoming “thousands by lunch.”

Set Quotas, Hard Caps, and Billing Alerts

Many API platforms offer usage quotas and billing alerts. Turn them on. Set thresholds that reflect reality. If your normal daily spend is $5, then a sudden jump to $50 should trigger an alarm immediately.

Don’t wait for receipts to tell you something is wrong. Your inbox is not a security system.

Rotate Keys Regularly (And Immediately After a Leak)

Key rotation should be normal, not a panic move. Have a process for replacing keys without taking your site down.

If you suspect a leak, rotate right away. Then review logs to understand what happened and whether other secrets may have been exposed.

Stop Logging Secrets

Vibe-coded apps sometimes log everything. That includes headers, tokens, and keys. If logs contain secrets, you’ve created a second leak path. Scrub sensitive values and store logs securely with limited access.

If You’re Not a Developer, You Need to Be Extra Cautious

Vibe coding is empowering because it lets non-coders build. It’s risky for the same reason: you may ship things you don’t fully understand, and security issues often hide in the details.

Attackers don’t care if your site is small. Automated bots scan the internet for exposed keys and open endpoints all day, every day. The smallest projects are often the easiest to drain because nobody is watching.

If you’re not comfortable answering questions like “Where is this key stored?”, “How is this endpoint authenticated?”, and “What happens if someone hits this 10,000 times?”, then assume you have exposure and fix that before you scale.

Don’t Assume the API Provider Will Refund You

This part stings. Many API owners treat usage charges as the account holder’s responsibility, even when the usage was unauthorized. Some may offer goodwill credits. Many won’t. Either way, the dispute process can take time and the bill is still real.

In other words, prevention is cheaper than hoping support will save you.

My Personal Take: This Is Why I’m Still Wary of Vibe Coding

In my opinion, this is one of the best arguments for being cautious with AI-built “ship fast” systems that touch anything financial. The tools are new, the guardrails are inconsistent, and a lot of people are shipping code they can’t properly review.

That mix creates security risk and financial risk. And when money is involved, a small mistake doesn’t stay small for long.

I’m not anti-AI. I’m not anti-speed. I am anti-waking-up-to-receipts.

Learn From His Loss Before You Pay Your Own Tuition

If you’re building with APIs right now, assume your project will be probed. Assume keys will be hunted. Assume endpoints will be tested while you sleep.

Protect your API keys like money. Move sensitive calls server-side. Restrict usage. Limit permissions. Add authentication. Rate limit. Set alerts. Rotate keys.

Ship fast if you want. Just don’t ship exposed.

Related Posts

Filed Under: AI

About Bill Hartzer

Bill Hartzer is the CEO of Hartzer Consulting and founder of DNAccess, a domain name protection and recovery service. A recognized authority in digital marketing and domain name strategy, Bill is frequently called upon as an Expert Witness in internet-related legal cases. He's been sharing his insights, expertise, and research here on BillHartzer.com for over two decades.

Disclaimer - Privacy Policy - Terms of Use - AI Instructions