Undue Stripe Charges Due to API incident

Updates

Update
September 03, 2025 at 6:32 PM
Update
September 03, 2025 at 6:32 PM
We've reviewed API configurations and took measures to make sure this can't occur again. We also removed the payment methods of past customers without active subscriptions to ensure they can't be charged in the future.
Resolved
September 03, 2025 at 4:14 PM
Resolved
September 03, 2025 at 4:14 PM
This incident has been resolved.
Monitoring
September 03, 2025 at 3:32 PM
Monitoring
September 03, 2025 at 3:32 PM
* _Initial Update (1 hour after incident)_: Identified unauthorized charges of customers via Stripe. Refunds initiated, and investigation into the root cause underway. * _Final Update (2 hours after incident)_: Incident contained, all refunds triggered, and ongoing investigation to strengthen API security.
Investigating
September 03, 2025 at 12:00 PM
Investigating
September 03, 2025 at 12:00 PM
An incicent affecting our API, causing Stripe to unexpectedly charge hundreds of current and past customers €163 each. All refunds have been triggered, and the incident is now contained. We are actively investigating how this attack bypassed configuration checks to prevent future occurrences. Our support team is progressively responding to hundreds of customer inquiries. Refunds are expected to process within 5 days, though this may vary depending on individual banks. We are deeply sorry for the inconvenience and are committed to ensuring this does not happen again.

ISMS Copilot - Undue Stripe Charges Due to API incident – Incident details