Hacker News new | ask | show | jobs
by joshellington 1625 days ago
Wow, they're using Stripe for payments. Here's their API key: pk_live_1vI9jQQVPUd9XXtXEXxRBMDL

Just reported them through the generic Stripe contact form (all I could quickly find).
2 comments
Nextgrid 1625 days ago
In these cases it might be better to commit it to a public GitHub repo which has real-time secret scanning and partnerships with a lot of providers to immediately invalidate detected secrets.
link
site-packages1 1625 days ago
I think this is the public one that's generally posted in the html for the client side stripe portion, not a secret.
link
Doxin 1625 days ago
Yeah definitely. The public keys start with pk_, the private ones start with sk_.
link
bredren 1625 days ago
My first question was how they were collecting these "high risk" payments.

In general, Stripe describes a 7-14 day payout schedule, but has shorter ones for many countries.

Presumably it takes a fair amount of identity info to get to the 2 business day accelerated payout speed available to low-risk businesses in the US.

https://stripe.com/docs/payouts#payout-schedule

link
Nextgrid 1625 days ago
I would be really surprised if the scam is taken down in just 14 days (without the media's attention), so they're typically able to get a couple of payouts at least.

Maybe this is just a single occurrence in a large scheme with lots more websites & separate payment providers.

link