Well, what you can do is notify the card issuer about those cards that went through, so they can mark them as stolen. That surely will make the hacker really happy, and discourage them of doing it again :)

We solved this by introducing a silent block. If the system notices unusual behavior (too many payment attempts per user, for example), it no longer sends the payment attempt to the provider. Instead, it idles for a second or two and then just fails with a generic “payment declined.” Most attackers don’t notice they’re being blocked and just assume all credit cards are bad.

The $1 auth charge pattern is really common for card testing attacks.

One thing that helps beyond Turnstile: Stripe Radar rules. You can block charges under $2 from IPs that haven't had a successful payment before, or flag accounts with multiple card attempts in short windows.

Not foolproof but adds a layer before the human review kicks in.

Did they use the same username/login every time?

the $1 auth charge pattern is what makes this brutal payment processors see you as enabling card testing even if you're the victim.stripe has actually terminated accounts for this. turnstile invisible mode is basically just logging at that point,it rarely challenges anything. lesson learned the hard way i guess.

Ouch. Just one credit card change per account?

This is one of those levels of monitoring that only gets put in place after such an event. Eg whole subsystem analysis - the change card feature being used 1000s of times (well, proportional to scale) in 7 hours is a massive red flag

Cloudflare and any other anti-bot service is only good against people without willpower and knowledge to bypass them.

JS can be reversed, you clearly see what data points they use for detection. Anything can be spoofed and it will look like human behavior.

And if everything fails, you outsource it to AI - Always Indian :D

I wouldn't call this "known security issues", it's an inherent problem with any signup or forgot password page.

Also, I doubt this is going to be pissing users off since they added Turnstile in invisible mode, and selectively to certain pages in the auth flow. Already signed in users will not be affected, even if the service is down. This is way different from sites like Reddit who use their site-wide bot protection, which creates those interstitial captcha pages.

So your solution would be to do nothing?

Cloudflare is an excellent solution for many things. The internet was designed to withstand a nuclear war, but it also wasn’t designed for the level of hostility that goes on on the internet these days.

I fully agree with your comment. Wouldn't it be possible to just put off sending welcome emails until the user actually engaged with the product in some way? And if an account wigh no engagement persists for more than say three months just delete the account again under the premise of 'eroneousely created'?

I had a similar issue and evaluated alternatives. Sadly, there were none that did the job well enough.

How do you suggest to implement bot prevention that works reliably? Because at this point in time, LLMs are better at solving CAPTCHAs than humans are.

Since they updated the flow to only ever push 1 email to unverified users, I would say that's as patched as it can realistically be before you bring in the captchas.

And your solution is assume everyone on the internet is a good actor?

How would you solve this at scale?

Honestly I really like CloudFlare as a business. There's no vendor lock-in, just a genuine good product.

If they turn around later and do something evil, literally all I need to do is change the nameserver to a competitor and the users of my website won't even notice.

I had this happen recently too, also not covering up any email activity (I combed through 3000+ spam emails).

Double check that there are no forwarding rules added to your inbox and add some protection against a SIM swap.

In my case, they didn't compromise any of my accounts but did attempt to open a new credit card so it would be worth double checking your credit reports.

As is often repeated, the optimal amount of fraud is not zero

https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...

They are optimizing towards making it easy to purchase things on a whim.

Because confirming the email introduces friction. And everyone is optimising for low friction even if it risks private data leaks, which you can always blame on the user for typing their email wrong.

I have a very early gmail address. A very common first name plus two letters. It is almost unusable by now. Invoices, subscriptions, important documents about some persons real estate dealings. They all end up in my inbox.

I have around 20 or 30 google accounts attached where i am the backup email address. Those people forget their passwords or stop using their accounts and i get email notifications about that. No confirmation from my side necessary.

I set up a new address that is less likely to end up with this problem. But migrating away from the old one is not easy…

I know e-mail has a faster round-trip, but they also don't ask you to confirm snail mail.

I think it would be quite annoying to have to verify my purchase everywhere, just like how I don't wanna sign up to every single merchant online. Let me purchase as guest without having to enter OTPs.

This is intentional. Email verification is friction, so it gives users a chance to reconsider whether their purchase is really necessary. This is bad for business, because they’d prefer if you were impulsive.

Also, people usually type their emails correctly, especially these days with auto-fill. So not sending confirmation emails is optimizing for the happy path.

I am dismayed that it is legal to create an account attached to an email without validation of that email. It should be straight-up massive fine illegal to send any email other than account confirmation until validated. Validation emails should have a "do not contact me again" that works with a single click and a massive fine if it does not.

Yes it is insane. I am in same boat and have received mortgage applications, police details, applications for police jobs, massage receipts you name it. Many would be considered important leaks of customer data.

I have even had founder level emails that presumably are confidential sent to me because I share the name of someone operating in tech.

I respond or report when it's obviously some real person running a small group but for large monoliths there is very little to do except quickly reply to corporate email.

Really wish there was some kind of high level discussion about building something for this specific problem of non malicious wrong person same name errors.

Google could do it it's just not something that is monetizable at a scale they care about IMO and I have not been able to think of a way to make this work operating outside of email monoliths.

Would love to hear if anyone has ideas.

> We solved this at our startup by running names through a simple LLM filter - if the name is gibberish like Px2846skxojw just block the signup.

I hope "LLM thinks your name is gibberish" won't become the new "your name can't include invalid characters".

Then you’re also blocking legitimate users that don’t want to be tracked and use services like iCloud Hide my Emails

This doesn't seem like a very good solution to be honest. And why use an LLM for this? What if I want a legit random ass string as my username?

Using an LLM for this seems excessive when there are well established algorithms for detecting high entropy strings.

So your solution is to deploy a black box that can be worked around with a basic lookup table for a single field?

CAPTCHAs were never meant to work 100% of the time in all situations, or be the only security solution. They're meant to block lazy spammers and low-level attacks, but anyone with enough interest and resources can work around any CAPTCHA. This is certainly becoming cheaper and more accessible with the proliferation of "AI", but it doesn't mean that CAPTCHAs are inherently useless. They're part of a perpetual cat and mouse game.

Like LLMs, they rely on probabilities that certain signals may indicate suspicious behavior. Sophisticated ones like Turnstile analyze a lot of data, likely using LLMs to detect pseudorandom keyboard input as well, so they would be far more effective than your bespoke solution. They're not perfect, and can have false positives, but this is unfortunately the price everyone has to pay for services to be available to legitimate users on the modern internet.

I do share a concern that these services are given a lot of sensitive data which could potentially be abused for tracking users, advertising, etc., but there are OSS alternatives you can self-host that mitigate this.

Nice.

> useless CAPTCHAS (any sufficiently advanced bot can get around any CAPTCHA anyway). We solved this at our startup by (…). Of course this is easy to get around if the bot knows what you’re doing

So, by your own admission, your solution doesn’t get around the “sufficiently advanced bot” problem.

This is being addressed in the article. The service no longer does this, and he apologizes.

How did they access your Airbnb account?

I’d be probably safe against this because I have an email filter set so anything with an unsubscribe link gets moved to spam.

Account notification emails don’t have unsubscribes while pretty much all junk does.

Hell every non wordpress software I manage also gets bombarded by wordpress bots.(not really, I am stretching the term to refer to wordpress attack attempts for dramatic purpose. But that still ends up being about 99% of my personal site traffic)

Can you expand on that? A separate honey pot sign up page invisible to real users, or something else?

Honeypots work until the bot starts posting to every field. Dropping traffic scrubbing also means you lose the abuse reporting and IP reputation feed that a service like Cloudflare gives you, so a trick that filters one class of signup spam turns into you handling the rest of the mess yourself.

Report all received emails as spam, add a filter to get rid of the @domain.com emails, and probably add the entire service to the blacklist so it doesn't happen again. Probably get rid of any paid account on that service one might have laying around.

If the email is targeted at a domain using mail servers from any major email provider (Gmail, Outlook), the user will probably find most emails into their spam folder anyway and the sending domain will get added to the spam list automatically. Especially if the attack hits multiple users on the same email service.

I suspect everyone feels that way except SaaS providers. They could just give you a checkbox to turn the newsletter off, but they don't.

Yeah, thats part of why I hate "login with SERVICE". The big benefit would be not spamming me, but they always insist on getting my email.

There was a time were you would have to select "sign me up for your newsletter" then you had to uncheck it. Then you had to check to not get an email and now you don't even get that choice.

And lately? You have to go dig through your email because you can't set a password (looking at you Claude), so you can't filter email.

Then there's no verification step, preventing the entire mechanism of you not getting spammed.

I can't comment on if it was written by AI or not but I found the OP informative and quite dense with useful information. Nothing stood out to me as garbage.

I am quite confident that the following was NOT LLM:

> New users were signing up but not doing anything, they weren’t creating an org, a project, or a deployment, they just left an account sitting there.

Surely the LLM version is:

> New users were signing up but not doing anything; they weren't creating an org, a project, or a deployment—they just left an account sitting there.