I was going to say the same thing. There are some active Stripe folks on here, curious if this post itself will trigger anything internally there.

And Stripe can shut it down then respond with "we can only discuss this with a Director of the company. Let us know when you have one and are legally able to be in business."

Can you disable an account if you have the secret key?

Honest question, is that still within the roam of ethical hacking?

I’d argue that it’s ethically the right decision — particularly when the SaaS provider seem to be burying their head in the sand. Legally on the other hand?

In Stripe's case, I've been very happy with how responsive their support is (even my Suggestion Box submissions get personal replies) - I'd expect Stripe to suspend that account within a couple of hours, regardless of the time-of-day.

But if it was, say, Authorize.net (I can't be the only one?) I'd probably take direct-action (via an anonymous proxy, of course - legacy companies just can't stop themselves shooting the messenger first...)

(Disclaimer: I haven't had to deal with Authorize.net since 2016 - can anyone say if things improved since then?)