Practical guides to protect yourself, your family, and your business from AI-driven scams, deepfakes, and emerging cyber threats.
Researchers at Wake Forest University tested 444 AI chatbot apps from Apple's App Store and found that 282 of them, nearly two-thirds, were handing out the credentials to their own artificial intelligence. In many cases the secret was visible just by watching the app talk to the internet: a password sent in the clear, a reusable token, or a backend server that answered anyone who asked. Whoever captures that credential can run AI requests on the developer's account, and the developer gets the bill.
The study, published in June 2026, matters because the mistake is old and the meter is new. Hardcoding a secret into a mobile app has been a known error for a decade. What changed is that the secret now unlocks a service billed by the word, so every leaked key is an open tab someone else can run up. If your company ships a mobile app that talks to an AI model, this is a bill and a data-exposure risk sitting in a pocket somewhere right now.
The team built a tool they call LLMKeyLens and used it to watch each app's network traffic. It sits between the app and the internet as a man-in-the-middle proxy (software that intercepts the connection to read what passes through), works out which AI provider the app is calling, pulls out any credential it sees, and then actually tests that credential to confirm it still works. No jailbreaking, no cracking open the app's code. It just listens to the conversation the app is already having.
The 282 leaking apps failed in one of three ways. In 54 apps the API key (the secret string that authorizes calls to a service like OpenAI or Google Gemini) was sent in plain text, readable from a single captured request. In 92 apps there was no key to steal because the app routed everything through a backend server that answered any request with no check on who was asking, an open relay to a paid AI account. The largest group, 136 apps, used temporary access tokens that were meant to be safer, yet those tokens leaked in the same traffic and were usually still valid when caught. One app with more than 100,000 ratings issued a token set to expire in the year 2125. Another app's one-hour token still worked 128 days after it should have died.
Start with the money, because this is not theoretical. Stolen AI keys feed a practice the industry calls LLMjacking, where attackers run their own workloads on someone else's credential. The security firm Sysdig calculated that a single abused key could run up more than 46,000 dollars a day in AI charges. Now widen the lens. If your organization publishes an app that calls an AI model, that model's key may be riding inside the app where anyone who installs it can read it, and the first sign of trouble could be an invoice. The exposed system prompts are a quieter loss: they hand a competitor or an attacker your product's playbook, and in the wrong hands a leaked prompt becomes a map for manipulating the assistant. The systemic shift is the uncomfortable part, because the race to bolt an AI feature onto every app has revived a security mistake the mobile world thought it had outgrown, except this time the leaked secret is metered, so a configuration slip turns straight into cash walking out the door. A matching 2025 study called LM-Scout found the same broken wiring across Android apps and automatically broke into 120 of them, so no single platform gets to feel safe here.
None of this needed a sophisticated attack. It needed someone to watch an app do what it already does and read a secret off the wire. The remedy has not changed in years: keep the key on a server you control, verify who is calling, and revoke anything that has leaked. What the AI boom added is a price tag, because the credential now bills by the token and the meter runs in the attacker's favour. One question is worth raising before your next release. If a stranger downloaded your app tomorrow and watched its traffic, what could they charge to your account?


