#deepstitch

I don't think so, as you need the secret API key (not the public one) to create and confirm Setup Intents.

i thought so, which makes me worry whether the secret key was compromised

Having trouble figuring out how to investigate this. I suppose they could setup a form on another site and try to hit our backend with the public key, if CORS isn't working properly

Yes, if you configured CORS to accept requests from any domain, though I would imagine that is not the default setting and someone would have had to change that for such a thing to be possible.

Our support folks have a workflow for helping with card testing, so if it is ongoing I would highly recommend reaching out to them, as they can escalate to people who specialize in card-testing and can work with you to identify how to stop it: https://support.stripe.com/contact/email

There are also a few mitigation practices worth mentioning here: https://stripe.com/docs/disputes/prevention/card-testing#prevent-card-testing though I would roll your API keys first and foremost if you suspect they might've been compromised