#j0rd0_api

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1400908320231002212

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

Could you share an example Payment Intent (pi_123) that the connected account charging your customer unexpectedly?

Yes

I see payment ID, is that different?

Stripe uses Payment Intent ID (pi_123) for the payment integration with Stripe

pi_3Rr9C2G4Vz3FBAFI1V4qKJZJ

This payment intent was created from this invoice: https://dashboard.stripe.com/acct_1M3165G4Vz3FBAFI/invoices/in_1Rr9C0G4Vz3FBAFIeydaZbPK

The invoice was created by this account directly in https://dashboard.stripe.com/logs/req_JfNqRdkqknTgvN which doesn't use any Connect at all

The issue is not related to Connect (platform with connected accounts)

I'd recommend checking how and why your system created this invoice to charge to the customer

It didn’t.

A connect account was created, and ran some script that charged my clients, and then transferred the money out to them.

They got over 10k in like 25 minutes

The payment is listed under this connect account

Could you share the connected account ID in text?

I'm unable to look into the connected account without the account ID as the photo is very blur

acct_1Rr8nw8DjOvV1glG

Can’t tell if second to last is capital i or a lowercase L

I couldn't find this account in our system, and the connected account in your screenshot showed that it was rejected. When it was rejected, the connected account was unable to process payment with Stripe

I rejected it after stopping and refunding everything

I just need to know if there is a way to stop the creation on connect accounts

The people on the phone with stripe are clueless to help me. I’ve had to call 34 customers today about why I charged them hundreds of dollars last night.

I do NOT want anyone to be able to use a connect account on my merchant account

If I need to have my developers write code, or anything… whatever’s needed. This can cripple my business forever

Hello
There are no dashboard controls to prevent Connected Accounts from signing up unless you're onboarding them via OAuth (which is something you can disable via the dashboard, if so)

The other option would be to have your developer remove the portion of your integration that allows creation of Account Links using which users sign up to your Platform

In plain text what can I enable or disable to stop their onboarding.

Do I enable OAuth, disable it?

You disable Oauth if your application uses it under Settings > Connect > Onboarding > OAuth

If not, you should talk to your developer about disabling the route your application uses to onboard new accounts

My integration doesn’t have any functionality to onboard connect accounts, unless that somehow shared with the ability to create a customer or subscription

I’ve disabled this as well

Sorry I haven’t meant to be harsh. I’m just scared it’s going to happen again 😭

As you can see they have been trying constantly. But the Mohamed one was verified and immediately starting doing all this

My integration doesn’t have any functionality to onboard connect accounts, unless that somehow shared with the ability to create a customer or subscription
Based on your screenshot, that doesn't seem to be true.
You must have submitted your Platform profile for Stripe Connect, otherwise there's no way someone can sign up to your account.

Here's an example Account creation request that came from your backend using your secret API key - https://dashboard.stripe.com/logs/req_JvOXOIImGj49Jh

It may have been something I enabled in the past? Think I may have during initial creation of merchant account, thinking that’s how I added my bank account.

But I never proceeded. And apparently they now tell me there’s no way to turn it off.

You can look at the request I shared above. Does your backend use PHP SDK?

If not, another possibility is your Secret Key has leaked

I’ll send this to my dev team

Yeah just to be safe, you'd want to roll your API key and update your integration (in case your API key indeed leaked)

We did that immediate to stop the attack

Crazy they can onboard via my api?

Gotcha and you'd also want to make sure it's not being logged anywhere because that would leak it again even if you roll it

Logged as in like I’m saving it somewhere else?

I simply rotated it and left it alone. I didn’t copy it anywhere or anything

I mean, do you/your app use Stripe APIs? If so, you would need that API key on server-side to make calls to Stripe right?

Correct, we haven’t updated things on our side and gone live again yet

Ive been waiting all day and last night from stripe support to call me back with solutions.

You have been the most helpful 🤗

NP! 🙂 Happy to help
Good luck