€800. That's what a data science student in Germany found charged to their credit card on April 27th through what appears to be an exploit in Anthropic's "Gift Max" feature - the mechanism that lets users gift Claude Max subscriptions to others.
The charges weren't a single transaction. They stacked up as repeated unauthorized purchases, and what makes this particularly alarming is that two layers of payment security appear to have failed. The user had 2FA (two-factor authentication, the extra login step via SMS or app) active on their Anthropic account. They also had 3D Secure enabled - that's the bank-level verification step where your card issuer sends a confirmation before approving an online purchase. Bank notification emails arrived, but the charges went through anyway. The result: over €800 drained, the user's credit damaged, and their Anthropic account banned.
It's not yet clear whether this is an isolated incident or a known vulnerability Anthropic is actively investigating. Anthropic has not issued a public statement on the matter as of publication.
The practical takeaway right now is straightforward: if you have a payment card saved on your Anthropic account, remove it. Navigate to your account billing settings and delete any stored cards until Anthropic confirms the issue has been resolved. Use a virtual card number or pay-as-you-go if you need continued access - most major banks and fintech apps like Revolut or Monzo offer disposable virtual card numbers that limit exposure.
Payment exploits that circumvent 3D Secure are rare but not unheard of - they typically require either a flaw in how the merchant's system handles authentication callbacks, or a compromised merchant account. Whether Anthropic's implementation has a specific gap in the Gift Max flow remains to be confirmed.
Users who believe they've been hit by similar unauthorized charges should contact Anthropic support and file a chargeback with their bank immediately. The 60-day dispute window under most card protections means time matters here.