[BUG] Unauthorized Max 5x→20x upgrade + €491 auto-recharge charges in one day
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
What's Wrong?
Summary: On 27–28 June 2026 my account was (1) upgraded from Max 5x to Max 20x and (2) charged ~€491 in Extra Usage / auto-recharge credits across multiple large charges within hours — none of which I initiated. I performed no plan upgrade and no action that could account for this usage. No confirmation prompt and no 3-D Secure / OTP challenge appeared for any of these charges, despite my account being in the EEA. I believe my account was accessed without authorization, and I am treating this as an account-compromise + billing incident, not normal usage.
I have a prior history of session-token theft on another service, so unauthorized session access is a realistic vector here.
What happened (from my own Anthropic invoices)
All amounts are the gross card charges (incl. 19% DE VAT). Invoice numbers are from Anthropic Ireland.
| Invoice (9BF0758D-) | Date | Description on invoice | Charge |
|---------------------|---------|-------------------------------------------------|----------|
| 3413309 | 27 Jun | Plan upgrade 5x → 20x (incl. −€50.81 unused 5x credit) | €153.74 |
| 3413904 | 27 Jun | Prepaid extra usage | €45.52 |
| 3413905 | 27 Jun | Auto recharge extra usage | €65.45 |
| 3414146 | 27 Jun | Auto recharge extra usage | €179.71 |
| 3420210 | 28 Jun | Prepaid extra usage | €45.52 |
Total disputed: €490.94. My bank also recorded further declined attempts of €45.52 on 28 June at 17:18.
For reference, my legitimate recurring subscription (invoice 3054644, €107.10, Max 5x, 14 Jun) is not disputed.
Why this is unauthorized, not legitimate usage
- I did not upgrade my plan. The 5x → 20x upgrade (invoice 3413309) happened with no action from me. A plan upgrade does not occur on its own — this strongly indicates someone with account access raised my plan, which also raises usage limits and the auto-recharge ceiling.
- Immediately after the upgrade, auto-recharge fired repeatedly (invoices 3413905, 3414146) for large amounts. I did not enable auto-recharge.
- Charges of this size accrued within hours, while I was not running any workload that could plausibly cost this.
- No confirmation prompt and no 3-D Secure / OTP challenge appeared for any charge, despite the account being in the EEA where SCA normally applies to card payments.
- I am on a fixed-price Max plan and have never come close to hitting plan limits under normal use.
The sequence — unauthorized plan upgrade → auto-recharge enabled → rapid extra-usage charges, with no SCA — is consistent with account compromise, and overlaps with documented Extra Usage / usage-tracking issues (e.g. #24727, #29289, #32544).
Environment
- Plan at time of incident: silently changed from Max 5x to Max 20x
- Tool: Claude Code 2.1.153
- OS: macOS
- Account region: Czech Republic (EEA); billing address Germany
- Auto-reload / usage credits: was enabled at the time of the charges; I did not configure it; I have since disabled it
Actions I have already taken
- Changed my password and signed out all sessions/devices
- Disabled auto-reload / usage credits
- Removed/checked my payment method and checked for API keys I did not create
- Opened a bank dispute for the charges as unauthorized transactions
What I'm Requesting
- Full refund of €490.94 in unauthorized charges (invoices 3413309, 3413904, 3413905, 3414146, 3420210).
- Reversal of the unauthorized plan upgrade back to my original Max 5x.
- A security review of my account: active sessions, devices, login history around 27 June, and any API keys — to identify how the upgrade and charges were initiated.
- Confirmation that no further charges will be attempted.
- Human review — not an automated determination.
Support ticket Conversation ID: 215474877738967
(Posting here because billing/account issues are routinely routed through this repository. I have removed personal identifiers; account-specific details can be provided privately to the support team.)
What Should Happen?
No plan upgrade or paid charge should occur without an explicit, authenticated action by me, and EEA card payments should trigger 3-D Secure. None of these charges had any confirmation or SCA. Charges that I did not initiate should not be possible.
Error Messages/Logs
No error shown. Charges occurred silently. Anthropic invoices: 3413309 (€153.74, plan upgrade 5x→20x), 3413905 (€65.45, auto recharge), 3414146 (€179.71, auto recharge), 3413904 (€45.52, prepaid extra usage), 3420210 (€45.52, prepaid extra usage). Total €490.94.
Steps to Reproduce
Account on Max 5x (legitimate subscription billed 14 June).
On 27 June the plan was upgraded to Max 20x — I performed no upgrade action.
Immediately after, auto-recharge fired repeatedly: €65.45, €179.71, plus prepaid extra usage €45.52 and €45.52 (28 June).
All within hours, no confirmation prompt, no 3-D Secure challenge.
I was not running any workload that could account for this usage.
Note: I have a prior history of session-token theft on another service, so unauthorized session access is a realistic vector. Requesting: full refund of €490.94, reversal of the unauthorized upgrade, and a security review of sessions/devices/API keys.
Claude Model
Not sure / Multiple models
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.153
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
_No response_