Warning: Anthropic's "Gift Max" exploit drained €800+, ruined my credit, and got me banned.
2FA active, yet hacker bypassed 3-D Secure to steal €800 and ruin a student's credit.
On April 27, a German data science student discovered €800 in unauthorized “Gift Max” charges on his Anthropic account. The exploit bypassed both 2FA and 3-D Secure — the student received bank authorization emails but never approved them. The attacker instantly generated and redeemed gift codes. Anthropic’s own status page that same day acknowledged “Elevated billing errors and unauthorized subscription changes,” and the flaw was already documented in GitHub issues #51404 and #51168.
The fallout cascaded: the theft caused the student’s monthly direct debits for a train ticket, internet, and utilities to bounce, which in Germany instantly tanks the SCHUFA credit score. When he sent Anthropic a professional email with a German police report (Strafanzeige) and GitHub evidence demanding a refund, the company responded by banning his account, locking him out of all work-in-progress projects, research, and data science chats. No refund has been issued.
- €800 stolen via 'Gift Max' charges; 2FA and 3-D Secure were active but bypassed.
- Anthropic's status page admitted 'Elevated billing errors' on the same day; flaw documented in GitHub issues #51404 and #51168.
- Victim's police report and refund request led to an account ban with no refund or project access restored.
Why It Matters
This incident exposes critical billing security gaps at Anthropic, threatening users' financial stability and trust in AI platforms.