Urgent Claude AI warning: Hackers are using a ‘gift’ loophole to bypass 2FA

News
By published

Some users are seeing up to five separate $100 charges labeled “Anthropic Claude" on their credit card statements

Claude app
(Image credit: Anthropic/Claude)

A growing number of Claude users are reporting unauthorized purchases tied to their Claude accounts, with patterns surfacing across Reddit and security reports.

According to findings highlighted by Frontiers in Computer Science and reported in The Guardian, modern phishing attacks are increasingly powered by automated, AI-assisted tactics, making account takeovers faster and harder to detect than ever.

Article continues below

How the scam actually works

A hand typing at a computer in a dark room, lit up by the laptop's keyboard LEDs and red LED light

(Image credit: Getty Images)

This attack doesn’t rely on breaking into Anthropic’s systems. Instead, it exploits how accounts, saved payments and gift subscriptions are currently handled. Scammers are gaining access using leaked passwords from past breaches or stolen browser sessions. In some cases, this happens through phishing emails or malware that captures login data without the user even realizing it.

But, this is where things gets sneaky, bad actors are using a "gift" loophole. Once inside, attackers don’t change your password or email, because that would raise alarms for you. Instead, they go straight to billing and send multiple gift subscriptions to external email addresses they control.

Since gifting often has fewer verification steps than account changes, it’s the fastest path to cash. From there, digital gift codes get delivered immediately, which means scammers can resell them on third-party marketplaces, often for crypto, before you even notice the charges.

Why this is happening now

Man stressed at computer

(Image credit: American Institute of Stress)

This type of fraud isn’t unique to AI. We've seen prompt injection scams and similar hacks before, but now AI platforms are becoming a new target because of how quickly they’ve scaled.

Here’s where the gap is showing up:

  • Limited payment verification: Some users report no secondary authentication (like a bank text code) for gift purchases.
  • Trusted device loophole: If a hacker hijacks an existing session, activity can look “normal” to the system. Remember, no password or user name is changed in the sneaky process.
  • Faster attack automation: AI-powered phishing and credential attacks are getting more efficient and harder to spot, especially if a user doesn't login to their account every day.

In short, even though the tools are getting smarter, protections and security are still catching up. Just last week, even the most dangerous AI in the world, got into the wrong hands.

How to protect your account right now

Sign into Claude on Windows

(Image credit: Tom's Guide)

If you use Claude (or any AI tool with saved payments), you'll want to do these three steps to stay safe:

  • Remove saved payment methods. Go to Settings > Billing and delete stored cards or payment options. Only add them when you’re actively making a purchase.
  • Log out of all devices. I'm guilty of always staying signed in, but by logging out, it forces a reset of active sessions, including any that may have been hijacked. If a scammer is already inside your account, this can cut them off instantly.
  • Watch for “gift” confirmations. Check your email for messages like “Your gift has been delivered.” If you didn’t send it, contact your bank immediately, request a refund, then secure your account.

The bottom line

This isn't a flaw with Claude, but it is a preview of what happens when fast-growing AI tools don't have enough protections in place. AI tools are rapidly improving, but the real risk is how quickly (and quietly) scammers can take control of your account.

To keep yourself safe, assume your saved payment methods are a liability, and consider removing them until Anthropic puts a 2FA system in place for gift subscriptions.

Click to follow Tom's Guide on Google News

Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds. Subscribe to Tom's Guide on YouTube and follow us on TikTok.

More from Tom’s Guide

Amanda Caswell
Amanda Caswell
AI Editor

Amanda Caswell is one of today’s leading voices in AI and technology. A celebrated contributor to various news outlets, her sharp insights and relatable storytelling have earned her a loyal readership. Amanda’s work has been recognized with prestigious honors, including outstanding contribution to media.

Known for her ability to bring clarity to even the most complex topics, Amanda seamlessly blends innovation and creativity, inspiring readers to embrace the power of AI and emerging technologies. As a certified prompt engineer, she continues to push the boundaries of how humans and AI can work together.

Beyond her journalism career, Amanda is a long-distance runner and mom of three. She lives in New Jersey.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.