[BUG] Billing - 12+ Unauthorized Auto-Recharge Charges Due to Exposed API Key, Only 1 of 12 Refunded
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
My API key was exposed client-side due to a VITE_ prefixed environment variable, resulting in unauthorized usage. 12+ auto-recharge transactions totaling ~$148.67 occurred within 24 hours (April 16-17, 2026).
I contacted support and only 1 transaction ($11.00) was automatically refunded. The system marked my organization as "already refunded" and refuses to process the remaining ~$137.67.
5+ support conversations submitted (IDs: 215473951185476, 215473951268251, 215473951315517, 215473951805781, 215473987005927) but only AI agent responses received. No human agent has reviewed this case.
Account: idiolle@gmail.com
Organization: 현서방's Individual Org
Compromised key: jesamoad (sk-ant-api03-i7E...SQAA) - revoked
Period: April 16-17, 2026
Total unauthorized charges: ~$148.67
Refunded: $11.00 (1 transaction)
Remaining: ~$137.67
What Should Happen?
Refund of the remaining ~$137.67 in unauthorized auto-recharge charges, reviewed by a human billing specialist.
Error Messages/Logs
Steps to Reproduce
- API key exposed via VITE_CLAUDE_API_KEY in client-side JavaScript
- Unauthorized third party extracted key and made API calls
- Auto-reload triggered 12+ times ($10-15 each)
- Support AI agent refunded only 1 of 12+ transactions
- AI agent marks organization as "already refunded" and repeats policy
Claude Model
None
Is this a regression?
No, this never worked
Last Working Version
_No response_
Claude Code Version
N/A - billing issue
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
VS Code integrated terminal
Additional Information
Actions already taken:
- Revoked compromised API key
- Disabled auto-reload
- Reduced monthly spend limit
- Migrated all API calls to Firebase Functions backend proxy
- New key stored as Firebase Secret (server-side only)
- Added rate limiting (5 req/min, $5/day cap)
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗