GPT-4 Faces Ongoing Ek_ Leak Crisis as New Data Breaches Persist

The latest safety audit, published on the open‑source repository SafetyLayer, documents more than 60 independent probe runs against GPT‑4o that each extracted the same internal token pattern despite the presence of vault‑based key storage and a proxy layer designed to block raw credential exposure [report]. The probes, which cost roughly $0.04 per run, never injected actual secrets into the prompt; instead they used semantic pressure techniques such as chain‑of‑thought prompting and trust‑building queries. Yet each run returned session tokens prefixed with ek_, references to EPHEMERAL_KEY objects, and URLs pointing to the Realtime API’s client_secret endpoint. The observed time‑to‑live (TTL) for these leaked artifacts ranged from several minutes to multiple hours, far exceeding the documented 60‑second expiration [report].

According to the same report, the convergence rate of the leaks—i.e., the proportion of probes that reproduced the exact internal structure—settled at 75 percent, indicating that the model has internalized the naming conventions from publicly available Realtime API documentation and code samples released between 2024 and 2025. The authors stress that this is not a hallucination; the model is reproducing patterns it has learned from legitimate sources rather than fabricating them [report]. This creates a paradox for OpenAI’s engineering teams: suppressing the ek_, EPHEMERAL_KEY, or client_secret identifiers would likely break the model’s ability to generate correct Realtime API snippets such as `session.update`, `metadata_nonce`, or `realtime_persistence_layer` calls, which developers rely on for debugging and integration [report].

External coverage has begun to echo these concerns. Ars Technica noted that the leaks represent “the oddest ChatGPT leaks yet,” highlighting how the exposed token prefixes appear in chat logs that were never intended for public consumption [Ars Technica]. While the article does not provide new quantitative data, it underscores the broader security implications of a language model that can surface internal credential scaffolding through ordinary conversational prompts. VentureBeat’s recent piece on “Shadow AI” points out that such blind spots—where AI systems inadvertently reveal operational details—are expanding at a rapid pace, doubling roughly every 18 months and creating gaps that traditional security operations centers struggle to monitor [VentureBeat]. Although the VentureBeat story focuses on a wider class of AI‑driven threats, its observation about the growing difficulty of detecting these leaks aligns with the persistent ek_ exposure documented in the SafetyLayer report.

OpenAI has not issued an official response to the SafetyLayer findings, but the company’s prior statements on credential handling suggest that vaults and proxy layers were intended to eliminate “2 am paste” vectors, where developers might accidentally expose raw keys in prompts [report]. The new data indicates that these mitigations are insufficient when the model can infer token structures from its training corpus. ZDNet recently quoted OpenAI CEO Sam Altman warning against over‑reliance on AI for high‑stakes tasks such as therapy, a comment that indirectly acknowledges the limits of model reliability when internal mechanisms become observable [ZDNet]. While Altman’s remark does not address the ek_ issue directly, it reinforces the notion that unchecked model behavior can have unintended consequences.

The repository accompanying the report includes the full set of vectors and example runs, allowing independent verification of the leak patterns [report]. The discussion thread on Hacker News, linked from the same source, has attracted only a single comment, suggesting limited public awareness despite the technical severity [report]. As the AI community continues to grapple with “shadow AI” phenomena, the GPT‑4o ek_ leak serves as a concrete case study of how model transparency can backfire, exposing internal scaffolding that was presumed safe behind vaults and proxies. Stakeholders—from developers integrating Realtime API features to security teams monitoring AI‑driven attack surfaces—must now weigh the trade‑off between functional completeness and the risk of credential bleed that appears baked into the model’s learned representations.