Over the last 2 days I've had over 2000 transactions from my Chargekeep form on my website through the Stripe API for small amounts. Many of these have been blocked, many are "incomplete", some have been successful, and are clearly bot driven card testing fraud.
Despite taking the form down off the site and un-publishing the form through Chargekeep, the transactions kept coming. I have rotated out API keys. Clearly they are using access to the Stripe API and don't need the form any longer. The transaction descriptor is always that of the Chargekeep form though.
Has Chargekeep been hacked to reveal API keys or something else?
I have tried contacting Chargekeep through their website but they only have an AI assistant which returns an OpenAI over quota error when I try to use it. No other method of contact is provided by them - trying here.