We Leaked 1,368 Customers into Our LIVE Stripe Account via E2E Tests

Six weeks ago we wired up signup-to-paid-plan E2E tests against our staging stack. Last week we found 1,368 fake customers in our production Stripe account. No charges. No invoices. No alert ever fired. Here is what went wrong, the boring fix, and a checklist to see whether the same pattern is silently filling your own Stripe.

The pattern fires silently. Stripe charges nothing for Customer objects, so the usual monitoring catches none of it.

The setup that looked fine

Our signup flow does what every SaaS signup flow does. POST email and password → create a row in users → call stripe.Customer.create with the email → store the returned cus_xxx on the user row → send a welcome email. Nothing exotic.

Our E2E suite, run on every commit to master, signs up a fresh user, walks the onboarding, hits the dashboard, signs out. Around 30 signups per CI run. Test emails follow a pattern: {slug}+e2e@access-proof.com.