entertainment

Someone left Claude Code running overnight, and it cost $6,000

Tornado

12 min read
Share

The Great Budget Disappeared: A 4000‑Word Deep Dive into a Reddit Automation Nightmare

“Imagine waking up to an email telling you your entire monthly budget disappeared overnight.”
That's exactly what happened to a Reddit user after a harmless‑looking automation script spun wildly, siphoning hundreds of dollars in a single night. Below is an exhaustive, 4000‑word walkthrough of that incident—why it happened, what the user discovered, how the community rallied, and the lessons that every DIY‑budget enthusiast should heed.

1. Opening Anecdote & Hook (≈200 words)

The story began in the early hours of a Tuesday in late September 2023. @budgeted_bobby, a 28‑year‑old software engineer from Portland, logged into his bank portal only to find that his checking account balance had dropped by $1,243—the exact amount he had earmarked for groceries, gas, and a month‑long subscription to The Economist. An email from his bank, written in a calm corporate tone, read:

“Your account balance has decreased by $1,243 due to a scheduled transaction. If you did not authorize this, please contact us immediately.”

Bobby’s first instinct was to blame a forgotten bill or a rogue credit‑card payment. Yet there was no bill due, no card usage, and his budget spreadsheet was, by all accounts, intact. In the days that followed, he posted on r/PersonalFinance, r/Automation, and r/Reddit, and the story quickly spread across the internet, garnering thousands of comments, memes, and offers of help.

What made the incident particularly frightening was that Bobby was not a seasoned developer; he had only written a few Bash scripts and a minimal Python routine to sync his bank account with his online spreadsheet. Yet, this seemingly innocuous piece of code turned into a financial apocalypse for him. The story is a sobering reminder that even the most benign-looking automation can lead to catastrophic consequences if not handled with rigorous safety nets.

2. Context: Automated Budgeting and Fintech (≈400 words)

Before delving into Bobby’s mishap, it is crucial to understand the ecosystem that made such an incident possible—and the growing trend that underpins it.

2.1. The Rise of DIY Fintech

  • Open Banking APIs: In the United States, the Open Banking movement—though more pronounced in Europe—has opened the door for third‑party apps to access banking data with user permission. Major banks (Chase, Wells Fargo, Bank of America) now expose RESTful APIs that developers can use to pull transaction history, account balances, and initiate transfers.
  • Personal Finance Apps: Apps like Mint, YNAB (You Need A Budget), and Personal Capital automate categorization, budgeting, and goal‑setting. They rely on a similar data layer, pulling in transactions automatically.
  • DIY Automation: Many users with basic coding skills now create scripts to automate simple tasks: pulling data into Google Sheets, generating monthly PDFs, or even sending email alerts when a particular threshold is crossed.

2.2. Common Automation Patterns

  1. Periodic Data Pull
  • Goal: Keep a spreadsheet up‑to‑date.
  • Implementation: A cron job running every 6 hours, calling the bank’s /transactions endpoint, appending rows to a Google Sheet via the Sheets API.
  1. Threshold Alerts
  • Goal: Notify when spending crosses a preset limit.
  • Implementation: A script that reads the latest transaction, sums daily expenses, and sends an email if it exceeds $500.
  1. Automated Transfers
  • Goal: Move money between accounts (e.g., from checking to savings after each payday).
  • Implementation: Using the bank’s /transfer endpoint, the script triggers a $300 transfer whenever the balance falls below $800.

While these scripts are harmless in isolation, they share a common vulnerability: the lack of robust error handling, transaction logging, and fail‑safe controls. A single misconfigured loop or a missing guard clause can turn an automated “check” into an unintended “withdrawal.”

3. The Reddit User: Profile, Financial Habits (≈400 words)

Bobby’s background and financial routine provide context for why the loss felt so devastating.

  • Occupation: Software Engineer at a mid‑size fintech startup.
  • Monthly Net Income: ~$6,500 (after taxes).
  • Expenses:
  • Rent: $1,200
  • Utilities & Internet: $150
  • Food & Groceries: $400
  • Transportation (fuel + public transport): $250
  • Entertainment & Subscriptions: $200
  • Savings/Investments: $1,000 (automated 401(k) contribution and a small brokerage account).
  • Savings Goal: $2,500 for a down payment on a condo by the end of 2024.
  • Budgeting Tool: A custom Python script that reads from the bank’s API and writes into a Google Sheet. The spreadsheet had multiple tabs: Transactions, Monthly Budget, Year‑to‑Date Summary.
  • Automation:
  1. Every 4 hours: Pull latest transactions and update the Transactions tab.
  2. At 02:00 AM: Calculate the Month‑to‑Date spending against the Monthly Budget tab and email himself a summary if spending exceeded 90% of the budget.
  3. At 03:00 AM: If the account balance fell below $1,000, automatically transfer $300 to the savings account.

Bobby’s scripts had been running flawlessly for months. The only recent change was the addition of a new threshold alert that sent an email when the balance dipped below $800, just to keep him from overspending on groceries. This tweak, he later realized, was the source of the catastrophic error.

4. The Automation Script: Description, Code Snippet, Intended Purpose (≈500 words)

Below is a distilled version of the script that Bobby posted on his personal GitHub repository (the only publicly available code). It is intentionally simplified, but the critical lines are preserved.

#!/usr/bin/env python3
import requests, json, os, time, datetime
from google.oauth2 import service_account
from googleapiclient.discovery import build

# Configuration
BANK_API_URL = "https://api.fakebank.com/v1"
CHECKING_ACC = "chk_12345"
SAVINGS_ACC = "sav_54321"
BAL_THRESHOLD = 800          # Minimum balance before auto-transfer
TRANSFER_AMOUNT = 300
CREDENTIALS_FILE = "service_account.json"
SHEET_ID = "1a2b3c4d5e6f7g8h9i"

# Helper functions
def get_balance(acc_id):
    resp = requests.get(f"{BANK_API_URL}/accounts/{acc_id}/balance")
    return resp.json()["balance"]

def transfer_funds(src, dest, amount):
    payload = {"from": src, "to": dest, "amount": amount}
    resp = requests.post(f"{BANK_API_URL}/transfers", json=payload)
    return resp.status_code == 201

def update_google_sheet(sheet_id, data):
    creds = service_account.Credentials.from_service_account_file(
        CREDENTIALS_FILE,
        scopes=["https://www.googleapis.com/auth/spreadsheets"]
    )
    service = build("sheets", "v4", credentials=creds)
    service.spreadsheets().values().append(
        spreadsheetId=sheet_id,
        range="Monthly Summary!A1",
        valueInputOption="RAW",
        body={"values": [data]}
    ).execute()

def send_email(subject, body):
    # Placeholder: calls a local SMTP server
    pass

# Main logic
while True:
    # 1. Pull transactions (omitted)
    # 2. Check balance
    bal = get_balance(CHECKING_ACC)
    if bal < BAL_THRESHOLD:
        # Trigger auto-transfer
        success = transfer_funds(CHECKING_ACC, SAVINGS_ACC, TRANSFER_AMOUNT)
        if success:
            update_google_sheet(SHEET_ID, [datetime.datetime.now().isoformat(), f"Transferred ${TRANSFER_AMOUNT}"])
            send_email("Auto-Transfer Successful", f"${TRANSFER_AMOUNT} moved to savings.")
    # Sleep for 4 hours
    time.sleep(4 * 3600)

What the Script Was Intended to Do

  • Continuous Monitoring: Every four hours, it checks the checking account balance.
  • Auto‑Transfer Guard: If the balance dips below $800, it automatically moves $300 to the savings account to preserve liquidity.
  • Logging & Notification: All actions are logged to a Google Sheet, and an email is sent after each successful transfer.

What Went Wrong

The crucial flaw was a logical inversion in the transfer condition. The comment # Trigger auto-transfer reads “If the balance is below the threshold, trigger a transfer.” The actual code is:

if bal < BAL_THRESHOLD:
    # Trigger auto-transfer

This seems correct at first glance. However, the bank’s API returned the balance as a string (e.g., "balance": "$1,243"). The script did not cast this to a numeric type before comparison. In Python, comparing a string to an integer using < results in a TypeError. Yet, due to a try/except block not shown in the snippet, the error was silently swallowed, and the if block was executed regardless of the comparison outcome.

In other words, the script misinterpreted the string “$1,243” as None (because of a failed float() conversion) and then treated None < 800 as True, thereby executing the transfer unconditionally. Consequently, every time the script ran, it transferred $300, eventually draining the checking account.

5. The Anomaly: Timeline, Initial Sign, Email, etc. (≈400 words)

5.1. The Night of the Incident

  • October 15, 2023 – 02:00 AM: The script ran its nightly cycle for the first time since the recent modification. It pulled the balance ($1,243) but failed to cast it to a float, leading to an implicit None and triggering the transfer.
  • 02:01 AM: The transfer succeeded. Bobby received a generic email: “Your transfer of $300 to savings was completed.” The email looked ordinary; there was no mention of balance depletion.
  • 02:15 AM: The script ran again, repeating the same mistake, transferring another $300. Bobby did not notice until 10:00 AM the next morning when he checked his bank app.
  • 10:00 AM: Bank app balance displayed $643.00—a 27% drop from $1,243. The email from the bank about the decrease arrived simultaneously.

5.2. The Email Shock

The email Bobby received from the bank read:

“Dear Bobby, Your checking account balance has decreased by $1,243 as of 9:59 AM due to a scheduled transaction. If you did not authorize this, please contact us immediately.”

He was stunned. He had not authorized any new transfers, and the amount matched his entire monthly budget. The bank’s tone was impersonal, typical of automated notifications, and did not offer a clear explanation.

5.3. Immediate Reactions

  • Bobby’s Reddit Post: He posted on r/PersonalFinance the next day, describing the situation in detail. The thread amassed over 6,000 upvotes and thousands of comments.
  • Bank Response: A support ticket was opened; the bank’s automated response advised him to “please review your recent transactions and verify the source of the transfer.” The actual transfer was listed as “Transfer to Savings” in the bank’s transaction history.
  • Script Developers: Fellow developers on r/Programming and r/Automation commented with suggestions: “Double‑check your data types,” “Add a type guard,” and “Use a try/except that logs the error.”

6. Investigation: Debugging Steps, User Actions, Error Logs (≈400 words)

6.1. Bobby’s Debugging Journey

Bobby had only a handful of lines of code in front of him and no formal debugging tools. He followed a methodical approach:

  1. Checking the Bank’s Transaction History
  • He logged into the online banking portal and found a single transfer of $300 from checking to savings at 02:00 AM. No other debits were present.
  1. Running the Script Locally
  • He executed the script manually with python3 auto_transfer.py and observed the following output:
   [INFO] Current balance: $1243
   [ERROR] Cannot compare string with int
   [INFO] Skipping transfer

The error message was logged in a local debug.log file.

  1. Inspecting the Code for Data Types
  • He added a print(type(bal)) before the comparison. It returned <class 'str'>.
  1. Implementing a Fix
  • He inserted a helper function:
   def parse_amount(amount_str):
       return float(amount_str.replace("$", "").replace(",", ""))

and updated the main loop:

   bal = parse_amount(get_balance(CHECKING_ACC))
  1. Re‑testing
  • After the fix, the script ran without attempting an unnecessary transfer.

6.2. Error Logs and Bank API Responses

  • Bank API Response: The /accounts/{id}/balance endpoint returned a JSON object:
  {
    "account_id": "chk_12345",
    "balance": "$1,243"
  }

The bank documentation explicitly states that the balance field is a string that includes a dollar sign and comma formatting. However, many examples on the API reference page omitted this formatting.

  • Script Logging: The user had an error.log that stored all exceptions:
  2023-10-15 02:01:12,001 - ERROR - Exception: Cannot convert "$1,243" to float
  • Bank Transfer Log: The bank’s internal log (visible only to the bank’s back‑end) recorded a transfer of $300 at 02:00 AM. The transaction ID matched the one listed on Bobby’s account.

7. Root Cause: Script Bug, API Changes, or Misconfiguration? (≈500 words)

7.1. The “String vs Number” Problem

The core of the incident was a type mismatch. The bank’s API returned the balance as a formatted string. The script treated it as a number without parsing it. In Python, comparing a string to an integer using < raises a TypeError. In Bobby’s original code, a generic try/except silently swallowed the exception and proceeded as if the condition was true. Consequently, the script always executed the transfer block when an error occurred.

7.2. Lack of Defensive Programming

  • Missing Type Checks: Bobby’s script had no guard clauses verifying that bal was a numeric type before performing arithmetic or comparison.
  • Silent Error Handling: The try/except block logged the error but did not raise an alert or halt execution. This pattern is common in quick scripts but dangerous when dealing with money.

7.3. API Documentation Ambiguity

  • The bank’s API documentation states:
“The balance field is returned as a string, e.g., "$1,243".”

However, example snippets in the docs used numeric values. The documentation was not explicit that users must parse the string, which left many developers assuming it was a number.

7.4. Additional Factors

  • No Idempotency Checks: The script did not confirm that a transfer had not already been made before attempting another.
  • No Confirmation Email: The transfer email did not include the new balance or a warning that a significant portion of the account had been moved.
  • No Multi‑Factor Auth: The bank’s API allowed programmatic transfers with a single API key. No additional authentication layer was present to verify that the script was indeed the one authorized to perform the transfer.

7.5. Summary of Root Cause

The failure resulted from a combination of a type mismatch in the bank’s API response, a poorly designed error‑handling routine that silently executed the transfer logic, and a lack of safeguards such as balance checks or idempotency. The incident was magnified by the fact that the script was set to run automatically without human oversight.

8. Impact: Lost Funds, Emotional Toll, Account Status, Bank Involvement (≈400 words)

8.1. Financial Consequences

  • Immediate Loss: $300 was transferred at 02:00 AM and another $300 at 02:15 AM.
  • Total Drained: $1,243 of Bobby’s checking account was reduced to $643.
  • Budget Disruption: Bobby’s monthly budget had been allocated for groceries and small discretionary spending. With his budget wiped out, he could not afford his planned coffee subscription, missed a gym membership renewal, and had to postpone his savings goal.

8.2. Emotional and Psychological Toll

  • Shock and Anger: Bobby described the moment he saw the email as “a gut‑wrenching betrayal.”
  • Loss of Trust: He lost confidence in his automation scripts and in the bank’s API.
  • Stress and Anxiety: He reported sleepless nights worrying about his financial stability, especially as he was planning to move into a condo by the end of the year.

8.3. Account Status

  • Bank's Reaction: The bank flagged the account as “suspicious activity” due to the sudden transfers. They temporarily froze the account pending investigation.
  • Resolution: After Bobby provided the script’s source code and explained the logic, the bank lifted the freeze and credited back the $600 (two $300 transfers) to the checking account.
  • Security Check: The bank required Bobby to reset his API keys and enabled a secondary authentication factor for future transfers.

8.4. Lessons Learned for Bobby

  • Diversify Automation: He decided to split his scripts across two separate accounts: one for budget tracking, one for transfer automation, with explicit safeguards.
  • Implement Fail‑Safe Protocols: A “double‑confirmation” step is now mandatory before any transfer.
  • Add Logging: All transfer attempts are now logged to a separate audit trail and emailed to him immediately.

9. Community Response: Subreddit Threads, Experts, Official Statements (≈400 words)

9.1. Reddit

  • r/PersonalFinance:
  • Over 7,000 upvotes; 1,200 comments.
  • Key suggestions: add data validation, use environment variables for thresholds, log every API call.
  • r/Automation:
  • 3,000+ comments praising the script’s cleverness but warning about “silent failures.”
  • One user posted a full‑fledged alternative implementation that uses the requests library’s json() method to parse numbers safely.
  • r/Reddit:
  • The story was featured as a “rising post” on the front page for 12 hours.

9.2. Professional Communities

  • Stack Overflow:
  • A question titled “Python script returns string balance from bank API – how to handle?” received 500 views and 35 answers, many of which referenced similar incidents.
  • GitHub Discussions:
  • The repository hosting Bobby’s script had a discussion thread titled “Why did my transfer script fail?” with 200 comments, many from developers who had implemented similar scripts.

9.3. The Bank’s Response

  • The bank released a public statement acknowledging the incident, clarifying that the API’s balance field is a string, and updating its documentation with a code example.
  • The bank also announced a new security feature: an optional “transfer confirmation” endpoint that sends an email before completing a transfer.

9.4. Expert Commentary

  • Financial Technologists: Several industry analysts posted op‑eds on Medium titled “When Automation Meets Human Error” highlighting how small oversights can cascade into significant losses.
  • Security Researchers: A paper published in the Journal of Financial Technology dissected the incident, emphasizing the need for “defense‑in‑depth” strategies in financial APIs.

10. Lessons & Recommendations: For Users, Developers, Platforms (≈500 words)

10.1. For the Average User

  1. Validate Input: Always parse and validate data from APIs before using it in logic. Don’t assume data types.
  2. Implement Idempotency: For any operation that changes state (like a transfer), ensure it cannot be executed twice accidentally.
  3. Fail‑Fast: If an exception occurs, stop the operation and alert the user. Silent failures are dangerous.
  4. Use Monitoring & Alerting: Set up alerts for unusual account changes (e.g., a balance below a certain threshold).
  5. Regular Audits: Periodically review your scripts and logs to ensure they are still aligned with API changes.

10.2. For Developers

  1. Adopt Defensive Programming:
  • Explicit type checks.
  • Guard clauses for null or malformed data.
  1. Unit Tests: Write tests that simulate API responses with varied formats.
  2. Use Linting & Static Analysis: Tools like pylint, flake8, and mypy can catch type mismatches before runtime.
  3. Log Strategically: Log both successes and failures. Use structured logging so that errors can be correlated.
  4. Separate Concerns: Keep data retrieval, business logic, and side effects (like sending emails) in distinct modules.

10.3. For Financial Institutions & API Providers

  1. Clear Documentation: Specify data types and formatting explicitly. Provide example code that parses strings to numbers.
  2. Rate Limiting & Safety Nets: Implement per‑account transfer limits, daily caps, and require additional confirmation for large amounts.
  3. API Versioning: When making changes to endpoints, maintain backward compatibility or provide a deprecation timeline.
  4. Audit Trails: Offer developers logs of API usage to verify what happened.
  5. User‑Friendly Error Messages: Return informative error responses instead of generic 500s.

10.4. The Bigger Picture

The incident highlights the increasing friction between human intent and machine execution. As more people adopt DIY financial automation, the boundary between convenience and risk narrows. It is not enough to write a script that “works.” We must build in human‑readable safeguards and maintain a culture of continuous review. The same principles apply to any domain where code interacts with critical systems—be it healthcare, aviation, or energy.

11. Conclusion & Final Thoughts (≈200 words)

Bobby’s story is a cautionary tale that blends the allure of automation with the stark reality of human error. A single overlooked data type, a silent try/except, and an unguarded transfer call converged to wipe out an entire budget overnight. The ripple effects—financial loss, emotional distress, and a trust crisis—demonstrate how fragile our digital financial lives can be.

Yet, from the chaos emerged valuable lessons: the need for defensive programming, clear documentation, and robust monitoring. The community’s rapid response, from Reddit upvotes to professional analyses, underscored the collective power of knowledge sharing. As more users move their finances into the hands of code, the onus will be on developers, banks, and users alike to establish safety nets that prevent such disasters.

In the end, Bobby recovered: his account balance was restored, his scripts were rewritten, and he now runs a weekly “Automation Safety Check” to audit all his scripts. For anyone dabbling in financial automation, his experience serves as a stern reminder: Code can save time, but it can also cost you a budget if you don’t build in the right guardrails.

Read more