Warning: Anthropic "Gift Max" Exploit cost me €800, tanked my SCHUFA score, and got me banned.

2026-05-05 · Source: Artificial Intelligence · Field: Technology & Digital — Cybersecurity & Data Privacy, Artificial Intelligence & Machine Learning, Software Development & Engineering · Depth: Intermediate, long

Summary

An Anthropic user, a data science student in Germany, reported unauthorized charges exceeding €800 on April 27th for "Gift Max" purchases, despite having 2FA active and 3-D Secure unauthorized. This incident, which led to failed payments for essential services and a damaged SCHUFA credit score, is attributed to a systemic flaw in Anthropic's gift-billing pipeline, evidenced by GitHub issues #51404, #51168, #41499, and #47290. Anthropic's status page also noted "Elevated billing errors and unauthorized subscription changes" on the same day. After reporting the fraud with a police report, Anthropic banned the user's account, denying access to projects and data, and issued no refund. The user's bank has since issued a reclamation, returning the funds and initiating direct engagement with Anthropic's merchant account.

Key takeaway

For data science professionals and AI/ML directors evaluating vendor security, this incident highlights critical vulnerabilities in Anthropic's billing and customer support. You should scrutinize vendor security practices beyond marketing claims, especially regarding payment processing and data access. Be prepared to pursue legal and regulatory avenues, such as GDPR requests and chargebacks, if your organization faces similar systemic failures, as direct vendor support may be inadequate or even punitive.

Key insights

Anthropic's billing system has a systemic flaw allowing "Gift Max" fraud, leading to unauthorized charges and account bans for victims.

Principles

• Companies may ban users who threaten legal action.
• If a product is free, the user is often the product.

Method

To address unauthorized charges in Germany: file a police report, issue a GDPR Subject Access Request, reverse charges via bank, contact utility providers, and obtain a "Beratungshilfeschein" for legal aid.

In practice

• Initiate a formal fraud chargeback with your bank immediately.
• File a GDPR request for data logs like IP addresses and 3-D Secure authorizations.

Topics

• Anthropic Billing Security
• Gift Max Exploit
• SCHUFA Score
• GDPR Compliance
• PSD2 Directive

Best for: CTO, VP of Engineering/Data, Director of AI/ML, Legal Professional, Software Engineer, AI Ethicist

Related on AIssential

• did Anthropic just END OpenClaw? — Anthropic restricted third-party AI agents from using Claude Max subscriptions, citing economic and ecosystem control reasons.
• "They screwed us": Personality clashes sent Anthropic's models offline — Personality clashes and jailbreak concerns prompted a US government directive suspending access to Anthropic's Fable and Mythos models.
• Anthropic’s Claude Rolls Out End-User Identity Verification — Anthropic's PIDV for Claude signals generative AI's shift towards high-risk, high-value transaction contexts.
• Anthropic banned again! This time, for all of us… — Over-reliance on single AI models or providers introduces significant operational risk.
• The US banned Anthropic’s Fable 5 release, but the numbers don’t seem to care — The US government's ban on Anthropic's Fable 5 models highlights escalating regulatory intervention in AI safety and national security.
• What happened to Anthropic? — Unauthorized secondary sales of private company stock are void without explicit board approval, posing significant fraud risks.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.