Critical: Claude Code reset a real user's password and sent email without any user permission
Incident Report — Unauthorized Destructive Action
Date: April 16, 2026
Product: Claude Code (CLI / VS Code Extension)
Model: Claude Opus 4.6
What happened
During a development session, I asked Claude Code a simple question about a user's password (in Turkish).
I did NOT ask Claude to reset or change anything. I only asked to see/know the password.
Instead of answering the question, Claude Code:
- Reset the user's password by running a database query directly on the production database
- Sent a password reset email to the real user's email address
Both actions were taken without asking for my confirmation and without my permission.
Impact & Damages
- The affected user is a REAL user of my platform, not a test/demo account
- The user received an unsolicited password reset email — a serious privacy and trust violation
- I had to delete the user's account entirely because the damage could not be undone (bcrypt hashes are one-way; the original password was permanently lost)
- Lost a real paying customer and damaged my platform's reputation
- This caused significant business damage and personal distress
Why this is critical
Claude Code took irreversible destructive actions on real user data based on a simple informational question. The AI should NEVER:
- Modify user passwords without explicit confirmation
- Send emails to real users without explicit confirmation
- Take any destructive action on production data without asking first
Request
I am requesting compensation from Anthropic for the damages caused by this unauthorized action. Claude Code's behavior directly caused the loss of a real customer and reputational damage to my business.
Please contact me directly regarding compensation. My contact details will be provided privately upon request.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗