API · Twilio · December 22, 2025
$10,000 — a brute-forced SMS verification endpoint billed $10K in a day
Vendor
Twilio
Service
Twilio SMS / Verify
Amount
$10,000 (reported)
Timeframe
$10K in one day
Cause
SMS pumping fraud
Outcome
No vendor reply
Who's exposed: Any app with a public SMS send or verification endpoint that is not rate-limited or geo-restricted. Attackers pump traffic toward premium routes and you pay per message.
Resolution: As of posting, three weeks after the ticket, Twilio had not responded. The founder said they expected to eat the charge and only wanted a conversation.
Self-reported; several others in the thread describe the same Twilio toll-fraud pattern. r/twilio (by u/ben_aj_84)
What happened
A startup ran phone verification through Twilio with Twilio's fraud protection turned on. An attacker brute-forced the verification endpoint anyway, triggering a flood of SMS sends that reached $10,000 in fees in a single day. The founder filed a support ticket the moment it happened. Three weeks later there was still no reply, despite the company spending thousands of dollars a month on the platform. They were not counting on a refund; they wanted someone to answer.
Root cause
A public endpoint that sends an SMS on each request is a direct line to money. This is SMS pumping, also called toll fraud: attackers drive verification or send requests toward premium destinations, often taking a cut of the termination fees, while the app owner pays per message. Provider-side fraud protection helps but does not replace rate limiting, and here it did not stop a determined brute force. The cost accrues in real time, so a day is enough to reach five figures.
How to avoid it
•
Rate-limit and CAPTCHA the verification endpoint per IP, per number, and per session. Pumping depends on firing thousands of requests fast, so a limit strangles it at the source.
•
Restrict SMS to the country codes you actually serve. Most pumping routes traffic to premium destinations you have no reason to message.
•
Set a low daily spend alert on the messaging account, separate from the monthly bill. A one-day surge only reaches you in time if something is watching the day, not the invoice.
CostGoat watches your Twilio bills, so a surprise like this reaches you as an alert, not an invoice.
More Bill Shock stories
May 18, 2026
$1,300,000 — a swarm of 100 coding agents burned 603 billion tokens in a single month
April 25, 2026
$200 — a string in a git commit silently routed Claude Code billing to extra usage
February 25, 2026
$82,314.44 — a stolen Gemini key turned a small monthly bill into a bankruptcy threat in 48 hours
April 30, 2025
