
Ask HN: SendGrid billed a CC I never typed into their app. How is that possible? - napsterbr
Hello there, HN,<p>Last week I was wrongly billed $21 on a SendGrid account I haven&#x27;t used for three years. They billed me for a &quot;dedicated IP address&quot;, but my free account doesn&#x27;t even have access to that feature.<p>I contacted their support and they promptly acknowledged the fact that it was an error on their end and the payment was refunded.<p>Now to the weird part: the credit card they charged was issued on April, 2019. The last time I logged into their website was December, 2017. After I got billed, I logged again and there is no mention of any credit card registered on my account (when I go to &quot;Billing&quot;, it asks me to enter my first payment method).<p>I also never used Twilio, which recently acquired SendGrid.<p>So, how on earth did they get access to that credit card number? I only register it on services I trust (Google - GSuite, Amazon - AWS, DigitalOcean, Netflix etc), and I generate a virtual credit card number for all one-time payments. The only possible way I can think of is if any of the companies I previously registered that credit card number <i>shared</i> it with SendGrid, which would be completely absurd.<p>When support notified me I would get refunded, they dodged the CC question. When I asked again, their full answer was:<p>&quot;Thank you for following up I appreciate your patience. At this time our billing team is still looking into how this happened. Again, I&#x27;m very sorry for the inconvenience.&quot;<p>And now, 3 days later, the ticket was closed without additional information.<p>Do you folks have any idea what may have happened here? Am I missing something? Is there a magic API to get someone&#x27;s CC number based on a previous one?
======
dangrossman
Yes, there _is_ a magic API to get someone's CC number based on a previous
one. It's called Visa Account Updater and MasterCard Automatic Billing
Updater.

[https://usa.visa.com/dam/VCOM/download/merchants/visa-
accoun...](https://usa.visa.com/dam/VCOM/download/merchants/visa-account-
updater-product-information-fact-sheet-for-merchants.pdf)

[https://www.mastercard.us/content/dam/mccom/en-
us/issuers/Do...](https://www.mastercard.us/content/dam/mccom/en-
us/issuers/Documents/Mastercard-Automatic-Billing-Updater-Merchant-
Global-2017.pdf)

------
treeman79
Similar issue with Bank of America debit card. Security guy for bofa said if
vendor is determined. They can contact MasterCard and obtain new card info.

~~~
napsterbr
Wow, had no idea such thing existed. Thanks for the information!

Now I wonder why their support did not say that...

~~~
clintonb
The support person probably doesn’t know about this capability.

------
clintonb
When a card is updated, the merchant (via payment provider) can request the
updated card details. This is meant to avoid disruption in recurring charges,
but has the side-effect of surprising unsuspecting customers. If you don’t
like this functionality, your bank/card issuer may let you disable, but there
are no guarantees.

------
gregjor
This belongs on Reddit along with the “I bought some Pringle’s and almost all
of the chips were broken” posts. Call the bank, cancel the charge and report
it as unauthorized. End of drama.

