I'm seeing weird charges on my Stripe. Did I get hacked?
Three likely causes, in rough order: (1) your Stripe secret key leaked and someone is using it, (2) an attacker stole a customer session and bought things through your app, (3) your app has a pricing bug being exploited. Lock down Stripe first — rotate the key — then trace the charges back to the source.
Go to your Stripe dashboard → Developers → API keys. Roll the secret key immediately. Then in your Stripe logs, look at the charges and note: which API key made them, which IP, and from which customer session.
**If charges are from your own key (the one you just rotated):** someone has your key. Search GitHub, screenshots, Replit deployments, old Heroku configs, old Vercel env. Securie's scan (launching this year) will walk everywhere your key might live and find every copy — join the list for a week-1 run.
**If charges are from a browser session:** your app probably has an ID-swap bug (IDOR) — attacker is buying things as another user. Log in as a test user in your own app, check a URL like `/cart` or `/checkout`, and try changing the ID in the URL. If you can swap to another cart, that's the bug.
**If charges are unusually small and varied:** it's likely a pricing-logic bug. Your app probably lets the client set the price, discount, or quantity. In checkout code, the price should come from your server / database, never from the client.
For all three, Securie's scan (launching this year) will test them end-to-end and tell you exactly which one is happening. Join the list to have it run on your app in week 1.