[dahfizz]

This is the first I'm hearing of this, so I might be missing some information, bit I don't understand how this is Twilio's fault or responsibility.

Your service got hit with a ddos-style attack that translated into you using twilio to send lots of texts. This cost you a lot of money.

I don't see how this is categorically different than your kid "accidentally" buying movies on Amazon prime or something like that. No way a credit card company would accept a chargeback in that scenario.

Ultimately, you used their product in the intended way. Of course you're on the hook for the bill.

[richbell]

> I don't see how this is categorically different than your kid "accidentally" buying movies on Amazon prime or something like that. No way a credit card company would accept a chargeback in that scenario.

The issue isn't the scale or volume, per se, it's that a bad actor has set up premium numbers (that cost $$$ to message) and is systematically wracking up fraudulent charges via websites sending 2FA codes. Twilio is seemingly aware of the fraud campaign targeting its users, but is not doing a great job protecting them and forcing them to bear the costs.

A better analogy, I think, would be a crime ring skimming credit cards at a gas station and wracking up charges that should be obvious fraud (different country, large amounts, etc.); and when a victim contacts their CC company they go "oh yeah that Shell station is notorious for fraud we've had lots of complaints recently" but refuse to chargeback.