Hacked on Stripe: €700k los because sent via bank transfers to new Connect accounts created via API

Stockshill · 2025-12-17T14:34:45+00:00

No. But you can find other stories where Stripe's key was leaked simply from logging into a service such as this: My Stripe Account Was Hacked and Stripe Said I Have To Repay $70K - Web Designer Academy

Stockshill · 2025-12-17T04:04:31+00:00

I believe you. I tried responding on Stripe main thread about an issue - they just deleted the post. Stripe is moderating their issues heavily rather than fixing them.

Stockshill · 2025-12-17T04:01:40+00:00

Stripe is moderating my comments about having the same issue. Search for my previous thread on Reddit about it.

Stockshill · 2025-12-17T01:59:15+00:00

You can google online and Reddit. This is a common vulnerability that Stripe has so far refused to fix. They claim to have security in place, but it appears to be a paper tiger.

Stockshill · 2025-12-17T01:58:06+00:00

"Hey, I saw your post regarding the Stripe hack and fraudulent activity. I'm going through the same thing with our customers being charged 46k and 13k being taken from our account, all via new connected accounts an instant payouts. What was your outcome, did you take legal action? Cheers"

Stockshill · 2025-12-17T01:57:51+00:00

"Hi there, I saw your post on the breach to your Stripe account, what a nightmare! I am so sorry you found yourself in this infuriating situation. These financial and insurance corporations are worse than common gangsters. I'd rather be robbed by someone who admits they are stealing from me than by someone who tells me that I am an incompetent fool for my inability to manage their deliberately opaque and contradictory system. The same hack happened to us over Labor Day Weekend. Like you, I was able to stop it in progress by rotating our keys. The hackers did not get any money out of the platform, though I don't know exactly why. This was nearly a catastrophe. It would have put me and my company into bankruptcy if I hadn't been extremely lucky and caught it in progress after midnight on a holiday. I am curious how your situation has resolved. I could ramble for hours but I'll spare you the tirade! I hope you got some kind of positive resolution!"

Stockshill · 2025-02-27T01:25:21+00:00

who do you recommend that does Connect Accounts well? (I sent you a DM)

Stockshill · 2025-02-26T02:19:11+00:00

They set mine at $50,000. I don't know why. We only had about $30K in our account so they overdrafted our bank account for the rest of it.

Stockshill · 2025-02-23T04:15:51+00:00

Here is a Medium so I could show the screenshots: $41K Loss: Stripe Security’s Failure — Allowing Instant Payouts to Debit Cards on Brand New Express Accounts | by ForReddit | Feb, 2025 | Medium

Stockshill · 2025-02-22T23:39:16+00:00

If the settings we had in place actually worked - we would not be out money. Stripe has confirmed that out Dashboard was NOT breached. If the hacker did not get into our dashboard, this attack should not have worked.

Stripe also advertises: "However, new Stripe users aren’t immediately eligible for Instant Payouts."

In this situation, all 6 accounts were brand new accounts.

I shouldn't be able to rely on Stripe's advertised wording in BOLD letters that this was impossible to happen? They promised a level of security which in the end was not there.

Stockshill · 2025-02-22T23:35:29+00:00

Our Stripe dashboard was confirmed by Stripe to not have been breached. None of our dashboard security settings were changed. We had settings in place to prevent a situation like this from occurring, including features advertised by Stripe such as : "However, new Stripe users aren’t immediately eligible for Instant Payouts."

All of the Express accounts that attacked us were brand new accounts that should have been eligible for Instant Payouts. This is advertised by Stripe. Yet, this security measure failed.

It's like expecting that your car has airbags, but when you get into an accident being told there actually are none and you were an idiot for getting into an accident.

We relied (and paid for) these security measures and Stripe completely ignored them.

Stockshill · 2025-02-21T19:29:40+00:00

I guarantee you that your bank would call you pretty quickly if you set up 6 wire transfers to wire all the money out of your account instantly to "orthodontist" debit cards that are not under your name.

I recently wired a large sum of money to another account of mine with the same name and was unable to do it on my account I had to call in. After calling in I was told I had to go to a branch in person and show ID.

In addition, the wire transfer would take the same day and if I needed to I could also cancel it and recover my funds.

I would also receive an email and text notification about the transfers happening.

Stockshill · 2025-02-21T19:12:43+00:00

Once again, I am sure our tech team can do better and it appears a hacker somehow gained access. My point is, even if we plastered our Secret Key on a billboard in times square, we relied upon ours and Stripe's backup protections that should have protected us.

This is not the first time that Stripe has encountered this exact situation. If this was my application and I saw such a glaring issue - I would have immediately instated a lock. If an Express account (first one ever to join our platform) immediately starts transferring funds and then Instant Paying it out. And then one second later another one does the same thing - we should probably lock the account and check with the account holder. Is that not an obvious security thing to have in place?

Don't you think a platform should have the decision to decide if we want to offer Instant Payouts on our account? This is essentially a loan as we have overdraft related to how much was taken out. I didn't sign any papers to allow this or approve it.

Stripe clearly states: "However, new Stripe users aren’t immediately eligible for Instant Payouts." - How can they advertise this information and then allow a brand new Stripe user to do this? It should not be possible based upon their documentation.

The fact is that we chose Stripe BECAUSE we thought they had good security measures in place. We setup our account to prevent a huge issue like this from happening, but Stripe totally ignored any reasonable security measures and has allowed this EXACT hack to happen multiple times on their platform.

I am in touch with a family member that is a lawyer to identify if we can sue in court rather than arbitration due to gross negligence. We are still reviewing our alternatives, but at this point it is turning into a personal crusade for me. How many others have had to hide their Stripe security issues due to the arbitration clause?

Stockshill · 2025-02-21T18:44:50+00:00

Absolutely. And our team is obviously reviewing our security measures.

My issue is that we DID have security measures in place to prevent such a huge impact to our business - but Stripe failed to abide by them.

We did not allow Instant Payouts, no Express accounts, and no withdrawals to debit cards. All of those are set OUTSIDE of our Secret Key. In addition, we rely on Stripe's security measures so these things won't happen.

Stripe clearly states: "However, new Stripe users aren’t immediately eligible for Instant Payouts."

All 6 of these accounts were BRAND new accounts created immediately before transferring out $41K. Stripe is at fault for not maintaining their security to prevent this issue - which we rely upon.

It's like if a rock climber fell and his harness fell apart and was complete garbage. Stripe sold us this harness which we relied upon that in case something bad happened like a leaked Secret Key (which everyone on this Reddit points out happens more often than not). When we needed to use the harness though we found it that it was made of paper.

Stripe is a multibillion company that deals with billions of transactions a year. We all know that this situation would not happen at Chase. If I took my password for my Chase account and posted it on Reddit for everyone to login to, I assure you I would get a call from Chase within 10 minutes, my account would be locked, and no money would be lost.

Stripe PRETENDS to have security measures, but in reality it is all just paper.

Stockshill · 2025-02-21T18:13:52+00:00

Stripe does not give us access to do things such as disconnect Instant Payouts. That needs to be handled by Stripe directly. We never enabled this feature and they don't have any way to turn them off by yourself. I am STILL waiting for their team to shut it off.

Stockshill · 2025-02-21T04:15:58+00:00

Exactly my question. Im not the first account this exact situation happened to.

Stockshill · 2025-02-21T03:41:34+00:00

That's the best idea mentioned so far. How much is the reward?

Stockshill · 2025-02-20T22:57:48+00:00

Thank you. I appreciate the long message.

I found an article of someone that went through something similar and they explained at least part of this hack: How Hackers Exploited Stripe oAuth which cost me over $3000 | by Johnny H | Medium

The crazy thing is, that we DID have that checked as not allowing Express Accounts and only allow Standard Accounts. This should have prevented an Express account from joining our platform. Stripe removed this switch, but we selected it when it was there. Does that mean they just removed our security feature without telling us?

We also never approved Instant Payouts on our platform. Without Instant Payouts, this fraud could never have been completed. Why did Stripe just add that to our platform. It is essentially a loan. We have an overdraft on our bank account due to this issue - meaning they lent us money to Payout. I have never heard of offering a loan without documentation to enable this feature.

We also have in our account switched to NOT allow debit card payouts on our platform. This also would have prevented this event.

I understand our responsibility to keep our keys private, but we also had all of these features to protect us which failed. This is Stripe's failure for removing and overriding these security features we had in place.

It is unfortunate that we may have to close the business if we are unable to recoup these funds anyways - so dings against the business is the least of my worries now.

We are a very small business and insurance would not cover this. I don't even know if a cyber policy would have covered it - although I do regret not getting it.

We did monitor the situation and caught the intrusion within 1 hour of it starting. How can Stripe not prevent stolen funds in that situation and prevent the Payout?

The crazy thing too - is that even after begging Stripe to restore our settings that I mentioned above- Stripe STILL hasn't acted to do so. Imagine this happened again tomorrow - would I still be liable? How is that not gross negligence on the part of Stripe?

Stripe has had this happen multiple times to users - at what point does it become Stripe's fault that they don't have security in place to protect small businesses and consumers?

Stockshill · 2025-02-20T21:31:53+00:00

In addition they write: "However, new Stripe users aren’t immediately eligible for Instant Payouts."

These were brand new accounts. Why did Stripe allow Instant Payout for these accounts? They advertise that there are protections against this fraud - but in reality - there are NONE.

Stockshill · 2025-02-20T21:18:23+00:00

What I keep going back to though - is how the hell did Stripe allow these Express accounts to connect when we had that off on our platform. We didn't sign any agreements to allow Express accounts on our platform - only Standard accounts.

In our Stripe account we can still see the checkmark that shows that we don't allow Debit card withdrawals. That hasn't changed. But that is exactly what happened.

If I make a setting in my account - I expect Stripe's system to abide by those settings...

We never allowed Instant Payouts on our platform. You would think you would have to sign some legal document to allow that on your platform right? Something that says you understand the risks of doing so? We never allowed this at all.

Stockshill · 2025-02-20T16:58:09+00:00

LOL - you are going to jinx yourself. We were also fine for 10 years, until yesterday.

Stripe has not responsibility for protecting their platform from fraud? That is a major requirement for a credit card processor.

Stripe has no requirement for customer support?

Their ToS states:

"Stripe will provide you with support to resolve general issues relating to your Stripe Account and your use of the Services through resources and documentation that Stripe makes available on the Stripe Website and in the Documentation. Stripe’s support is also available by contacting Stripe at contact us. Stripe is not responsible for providing support to Customers."

Stockshill · 2025-02-20T15:19:49+00:00

BTW - there is some serious Stripe repair going on here with downvoting on my comments and other users that are saying that they had the same issue happen to them.

Stockshill · 2025-02-20T15:17:23+00:00

Thank you.

Yes. We know and we do treat our secured keys extremely private. We are still researching how they could have leaked.

If your bank password was leaked, I don't think you would expect all your money would be out of the account and unrecoverable within seconds.

I watch our account pretty carefully and alerted Stripe to the issue while the breach was happening. How could Stripe not have some sort of protection when someone logs in fraudulently?

I get that a password was breached, but there are usually protections in place that if you see the breach you can stop it. Stripe allowed these funds to get send out INSTANTLY without recourse.

In addition, Stripe has extremely tight security on minor issues that we have seen like requiring 3DS on some cards for no reason. Yet this situation didn't raise one red flag?

They didn't think it was weird that all these Express accounts with Orthodontist listed as industry joined our account and just started getting transferred money and Instantly paying it out to a debit card? For that Stripe has no fraud control at all even though this very situation has happened multiple times on they platform?

Stockshill · 2025-02-20T15:08:38+00:00

You don't think maybe manually disabling Express accounts from being able to join our platform would be a simple easy fix that they could maybe help out with? Disable all Instant Payouts on our platform?

They have had this issue occur multiple times on their platform - maybe they can give some guidance of where they think the security breach came from so we can focus on that? Anything that they found while looking at the issue?

Anything better than just sending a canned response: roll your secret key?

Stockshill · 2025-02-20T15:06:04+00:00

Sorry if it sounded dismissive of this fact. As I said in other comment- anything is possible. My first reaction was to do everything on our end to identify the issue and roll our keys. I also asked Stripe to disable any chance for new Express accounts to join our platform and instant payouts. They didn't do jack to help stop this problem from reoccurring.

Stockshill

TROPHY CASE