Can't Hide Behind the API: Stealing Black-Box Commercial Embedding Models

TL;DR

The paper investigates the risk of stealing commercial embedding models that are accessible only through APIs. It collects input–output pairs from OpenAI and Cohere and trains a BERT-based student to reproduce final embeddings, evaluating on MSMARCO and BEIR. Key contributions include multi-teacher distillation, bottleneck embedding strategies, and efficient training costs (sub-$300 training cost on a single GPU), with strong cross-domain transfer and the option to concatenate embeddings from multiple teachers. The work discusses practical defenses, such as using non-predictable backbones and limiting exposed data, and emphasizes the security implications for API-based embedding services and the need for robust defenses in real-world deployments.

Abstract

Embedding models that generate dense vector representations of text are widely used and hold significant commercial value. Companies such as OpenAI and Cohere offer proprietary embedding models via paid APIs, but despite being "hidden" behind APIs, these models are not protected from theft. We present, to our knowledge, the first effort to "steal" these models for retrieval by training thief models on text-embedding pairs obtained from the APIs. Our experiments demonstrate that it is possible to replicate the retrieval effectiveness of commercial embedding models with a cost of under $300. Notably, our methods allow for distilling from multiple teachers into a single robust student model, and for distilling into presumably smaller models with fewer dimension vectors, yet competitive retrieval effectiveness. Our findings raise important considerations for deploying commercial embedding models and suggest measures to mitigate the risk of model theft.