Do you have no process ready to rotate a user's exposed credentials? It's what I would expect from any service provider once they become aware of an exposure.
Isn't this exactly what he explained? The user has a easy toggle on their dashboard to rotate credentials - and if he needs a hand with it, contact their support for some help.
I think the parents question was why they wait for the customer to do something instead of blocking/rotating the compromised credentials once they became aware of their existence.
E.g. I remember reading that Amazon even scans Github for AWS credentials proactively now, since this happened all the time.
True. It should be in the TOS that exposed api keys are subject to being revoked to prevent abuse. At least for certain services, and certain types of tokens.
Feel free to contact our support or myself directly - dwight@getstream.io - if you need a hand.