From the moment I began my freelance web design business back in 2014, I was collecting payments via Stripe and happily paying their processing fees for the ability to grow my business from just a desire for more freedom to running a company that employs women and supports them to create their own freedom and financial independence.

It never occurred to me that using Stripe to process payments would become one of the biggest risks to my small business.

My Stripe account was hacked due to Stripe’s lax security, over $70,000 of fraudulent charges were processed by the hacker through a fake connected account, paid out instantly to that person via Stripe’s Instant Payments to the hacker’s pre-paid debit card, and Stripe started pulling the money out of my business bank account to pay back the victims of the theft.

And Stripe says it’s my fault that my account was hacked and that I’m liable to pay back the victims of the fraud.

Listen to the full podcast episode or read on to find out exactly what happened and how to protect your business.


On a quiet Monday morning after the Easter holiday, I was sipping coffee on my couch in Columbus, Ohio like I normally do, snuggling with my dog and going through my normal morning entrepreneurial routine of checking emails and DMs on my business account when I see an email from Stripe with the subject line:

“Subject: [Action required] Closure of your Stripe account”

We recently identified payments on your Stripe account that don’t appear to have been authorized by the customer, meaning that the owner of the card or bank account didn’t consent to these payments.

As a precautionary measure, we will no longer accept payments for [your company].

We will also begin issuing refunds on card payments on April 15, 2023, although they may take longer to appear on the cardholder’s statement.

Please refer to your dashboard for a list of the charges that will be refunded. If there are insufficient funds on your account to cover any refunds, those refunds won’t be processed and any outstanding funds will remain in your account .

If you believe that we’ve misunderstood or miscategorized your business and would like us to conduct another review of your account , please complete the form on your Stripe Dashboard to provide more information about your business.

Request further review

If you have any questions, you can contact us any time from our support site.”

I remember thinking… yeah, this is probably some phishing scam…

So I check out the “From” address, and actually click into it to see the actual address and it’s saying it’s FROM [email protected]

And I log into my Stripe account from a separate browser, you know, just in case… and after using my Authenticator app because I have 2-factor authentication set up on my account, I see the request at the top of my account asking me to provide proof that I am the owner of my business.

I look at my recent authorized transactions and nothing is out of the ordinary… all of the successful payment listed are from students inside my Web Designer Academy who have been making their monthly membership payments like clockwork.

And I think, “This must just be a mistake. I’ve been a customer of Stripe for 8 years now. I’ll submit all the documentation Stripe requested and I’m sure that will take care of it.”

So I grab my laptop, submit all the documentation right away, and get back to snuggling and scrolling.

Then I log into my back account and see a withdrawal from my business checking account from Stripe for over $600. And another pending transaction for a withdrawal over $2000. And no credits for the payments that were made by students over the weekend.

And I’m feeling very confused thinking, “What is happening?”

I’m starting to feel the anxiety bubbling up, but I tell myself to be patient. Once they review all the documents I submitted to prove that I am who I say I am, this will all get resolved.

A few hours later, I receive another email:

“Subject: Additional review completed for Stripe Shop”

Whew, I think. I’m glad they took care of this so quickly.

I click into the email, and my heart starting pounding in my chest as I read it:

“Thank you for providing additional information about your business.

After reviewing your account again, we’ve confirmed that your business represents a higher risk than we can currently support.

We are unable to accept payments for [your company] moving forward.

Payouts to your bank account have been paused, and we will issue refunds on any card payments by May 10, 2023, although they may take longer to appear on the cardholder’s statement.

If there are insufficient funds on your account to cover any refunds, these refunds will not be processed and any outstanding funds will remain on your account.

Please refer to your Dashboard for a list of the charges to be refunded.

If you’d like to further appeal our decision, please contact us.”

I can feel the panic rising in my body. I tap on the Stripe app on my phone and I see that there’s a negative payout balance… but all the transactions listed in the app are legit.

I logged back into my Stripe account via my computer trying to figure out what in the world they are talking about, what are all these charges that they are saying are fraudulent? I’m looking for a phone number I can call to talk to someone.

I start clicking through every link in my Stripe dashboard, and when I get to the “Connect” menu item, that’s when I see it.

Two accounts with the business name of “Netflix.com” under the name “Albert Dawkins” which between the two accounts had racked up over $70,000 in credit card charges in the 3 days over the Easter holiday weekend.

Looking more closely, the ill-gotten gains were paid out instantly to a pre-paid debit card via Stripe’s Instant Payouts feature the moment the transactions were successful.

I realized my Stripe account was hacked. …

  • maltfieldOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I’m curious if any security engineers have covered this incident.

    Stripe does support generating Restricted API Keys. With “Restricted API Keys” you’re able to mint a key that can live on your e-commerce website that has permission to accept payments but does not have permission to modify your merchant account’s payout methods (eg adding a new “Instant Payments” debit card to the merchant account as this attacker did).

    Unfortunately, I’ve asked WooCommerce to support Restricted API Keys 1 year ago, but they marked it as “low priority”

    …I would appreciate if more people would jump-in on ^ that ticket and scold WooCommerce so that they add support for Restricted API Keys ;)