I'm seeing weird charges on my Stripe. Did I get hacked?
Three likely causes, in rough order: (1) your Stripe secret key leaked and someone is using it, (2) an attacker stole a customer session and bought things through your app, (3) your app has a pricing bug being exploited. Lock down Stripe first — rotate the key — then trace the charges back to the source.
Go to your Stripe dashboard → Developers → API keys. Roll the secret key immediately. Then in your Stripe logs, look at the charges and note: which API key made them, which IP, and from which customer session.
**If charges are from your own key (the one you just rotated):** someone has your key. Search GitHub, screenshots, Replit deployments, old Heroku configs, old Vercel env. Securie can walk everywhere your key might live and find every copy.
**If charges are from a browser session:** your app probably has an ID-swap bug (IDOR) — attacker is buying things as another user. Log in as a test user in your own app, check a URL like `/cart` or `/checkout`, and try changing the ID in the URL. If you can swap to another cart, that's the bug.
**If charges are unusually small and varied:** it's likely a pricing-logic bug. Your app probably lets the client set the price, discount, or quantity. In checkout code, the price should come from your server / database, never from the client.
For all three, Securie tests them end-to-end and tells you exactly which one is happening. Request access at /scan.