Hi all 👋 — question for anyone who has been through a similar situation.
I had an API key leak (my fault: env var prefixed VITE_ shipped client-side in a Vite+React build). Within 48h, a third party used it for ~$650 of Claude Code-style sessions (Opus 4.6/4.7, 200k–1M context, cache-write bursts at 00:31 UTC+2 while I was asleep). My app only ever calls Sonnet and Haiku so the Opus signature alone makes it clearly not me.
I caught it within hours, revoked the key, rebuilt with a Firebase Cloud Function proxy (Auth-gated, server-side only), 0 sk-ant- in the bundle, hard $30/month cap on the org. Fully remediated.
I opened a support ticket (#215474002041254, Console → Get help). Got 7 exchanges with Fin AI Agent. Fin has now explicitly confirmed it's an AI, can't escalate to a human, has no access to the assignment queue, and can't process goodwill credits. Also emailed support@anthropic.com with the full file, no human reply yet.
I'm not contesting the standard "consumed credits are non-refundable" policy — I'm asking for a one-time goodwill gesture since the usage pattern is obviously third-party abuse, not legitimate app traffic.
Has anyone here successfully reached a human at Anthropic for an API billing / goodwill case? If yes, which channel worked and roughly how long did it take? Happy to share more detail in a thread if it's useful.
Thanks 🙏
Top comments (0)