[BUG] Unauthorized Max 5x→20x upgrade + €491 auto-recharge charges in one day

Open 💬 0 comments Opened Jun 29, 2026 by FHUOO

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

What's Wrong?

Summary: On 27–28 June 2026 my account was (1) upgraded from Max 5x to Max 20x and (2) charged ~€491 in Extra Usage / auto-recharge credits across multiple large charges within hours — none of which I initiated. I performed no plan upgrade and no action that could account for this usage. No confirmation prompt and no 3-D Secure / OTP challenge appeared for any of these charges, despite my account being in the EEA. I believe my account was accessed without authorization, and I am treating this as an account-compromise + billing incident, not normal usage.

I have a prior history of session-token theft on another service, so unauthorized session access is a realistic vector here.

What happened (from my own Anthropic invoices)

All amounts are the gross card charges (incl. 19% DE VAT). Invoice numbers are from Anthropic Ireland.

| Invoice (9BF0758D-) | Date | Description on invoice | Charge |
|---------------------|---------|-------------------------------------------------|----------|
| 3413309 | 27 Jun | Plan upgrade 5x → 20x (incl. −€50.81 unused 5x credit) | €153.74 |
| 3413904 | 27 Jun | Prepaid extra usage | €45.52 |
| 3413905 | 27 Jun | Auto recharge extra usage | €65.45 |
| 3414146 | 27 Jun | Auto recharge extra usage | €179.71 |
| 3420210 | 28 Jun | Prepaid extra usage | €45.52 |

Total disputed: €490.94. My bank also recorded further declined attempts of €45.52 on 28 June at 17:18.

For reference, my legitimate recurring subscription (invoice 3054644, €107.10, Max 5x, 14 Jun) is not disputed.

Why this is unauthorized, not legitimate usage

  • I did not upgrade my plan. The 5x → 20x upgrade (invoice 3413309) happened with no action from me. A plan upgrade does not occur on its own — this strongly indicates someone with account access raised my plan, which also raises usage limits and the auto-recharge ceiling.
  • Immediately after the upgrade, auto-recharge fired repeatedly (invoices 3413905, 3414146) for large amounts. I did not enable auto-recharge.
  • Charges of this size accrued within hours, while I was not running any workload that could plausibly cost this.
  • No confirmation prompt and no 3-D Secure / OTP challenge appeared for any charge, despite the account being in the EEA where SCA normally applies to card payments.
  • I am on a fixed-price Max plan and have never come close to hitting plan limits under normal use.

The sequence — unauthorized plan upgrade → auto-recharge enabled → rapid extra-usage charges, with no SCA — is consistent with account compromise, and overlaps with documented Extra Usage / usage-tracking issues (e.g. #24727, #29289, #32544).

Environment

  • Plan at time of incident: silently changed from Max 5x to Max 20x
  • Tool: Claude Code 2.1.153
  • OS: macOS
  • Account region: Czech Republic (EEA); billing address Germany
  • Auto-reload / usage credits: was enabled at the time of the charges; I did not configure it; I have since disabled it

Actions I have already taken

  • Changed my password and signed out all sessions/devices
  • Disabled auto-reload / usage credits
  • Removed/checked my payment method and checked for API keys I did not create
  • Opened a bank dispute for the charges as unauthorized transactions

What I'm Requesting

  1. Full refund of €490.94 in unauthorized charges (invoices 3413309, 3413904, 3413905, 3414146, 3420210).
  2. Reversal of the unauthorized plan upgrade back to my original Max 5x.
  3. A security review of my account: active sessions, devices, login history around 27 June, and any API keys — to identify how the upgrade and charges were initiated.
  4. Confirmation that no further charges will be attempted.
  5. Human review — not an automated determination.

Support ticket Conversation ID: 215474877738967

(Posting here because billing/account issues are routinely routed through this repository. I have removed personal identifiers; account-specific details can be provided privately to the support team.)

What Should Happen?

No plan upgrade or paid charge should occur without an explicit, authenticated action by me, and EEA card payments should trigger 3-D Secure. None of these charges had any confirmation or SCA. Charges that I did not initiate should not be possible.

Error Messages/Logs

No error shown. Charges occurred silently. Anthropic invoices: 3413309 (€153.74, plan upgrade 5x→20x), 3413905 (€65.45, auto recharge), 3414146 (€179.71, auto recharge), 3413904 (€45.52, prepaid extra usage), 3420210 (€45.52, prepaid extra usage). Total €490.94.

Steps to Reproduce

Account on Max 5x (legitimate subscription billed 14 June).
On 27 June the plan was upgraded to Max 20x — I performed no upgrade action.
Immediately after, auto-recharge fired repeatedly: €65.45, €179.71, plus prepaid extra usage €45.52 and €45.52 (28 June).
All within hours, no confirmation prompt, no 3-D Secure challenge.
I was not running any workload that could account for this usage.

Note: I have a prior history of session-token theft on another service, so unauthorized session access is a realistic vector. Requesting: full refund of €490.94, reversal of the unauthorized upgrade, and a security review of sessions/devices/API keys.

Claude Model

Not sure / Multiple models

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.153

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

_No response_

View original on GitHub ↗