The bill that did not make sense: what a breach actually feels like
Not the technical breakdown — the human one. The charge that made no sense, the 72 hours after, and the three changes I would beg every founder to make this week.
It started with a number. I was half-awake, scrolling through an email I almost did not open, and there was a charge from one of our service providers that was wrong by an amount that did not make sense. Not double. Not a billing mistake. A figure with too many digits in it, the kind your brain refuses to read correctly the first time, so you read it again, and then a third time, and somewhere in that third read the bottom drops out of your stomach. You already know. Before you understand anything, you know.
I am writing this the way a friend would tell you over coffee, because everything I found afterward was written for engineers at companies with security teams, and that was not me, and it is probably not you. I had one person on the technical side and a real business with real customers, and I want to tell you what the next three days were actually like, because nobody warned me.
The first 72 hours
The first thing that surprised me was how alone you are. You assume that the moment you report this, someone competent and calm takes over. They do not. You enter a queue. You explain what happened to a support person who did not write the playbook and cannot deviate from it, and then you explain it again to a different one, and you start to realize the script is designed to slow you down, not help you. You are bleeding and you are on hold.
The second thing was the documentation. To get anyone to take it seriously, I had to build a case from nothing, in real time, while exhausted. Timestamps. Screenshots. A timeline of who accessed what and when, assembled out of logs I had never looked at before and barely understood. I was doing forensic work on my own business at two in the morning, learning the tools as I went, because there was no record of normal to compare the abnormal against. I had never written down what our own systems were supposed to look like, so I could not prove what they were not supposed to be doing.
The third thing was the quiet, specific grief of realizing the platform does not care about you the way you cared about it. You trusted it. You built your livelihood on top of it. And in the worst moment, it treated you like a ticket number, because to it, that is what you are. That is not cruelty. It is just the truth of the arrangement, and you only feel it when you need them to feel it too.
Why we let this happen
When the adrenaline drained, I had to ask the harder question: how was I this exposed? And the answer was not that I was ignorant. I knew, in the abstract, all the things I was supposed to do. The real answer is misplaced trust. I trusted that because nothing had gone wrong, nothing would. I trusted that the defaults were safe. I trusted that this was the kind of thing that happened to bigger or more careless people. Founders do not underprotect their infrastructure because they do not understand the risk. They underprotect it because the work of protecting it is invisible and dull right up until the single day it is the only thing that matters, and that day never feels like today.
Three things, this week
I am not going to send you to an enterprise vendor or hand you a checklist of forty controls. I want you to do three things this week, and they are the three I wish someone had made me do.
Turn on two-factor authentication everywhere that money or customer data can be reached, and do it with an app or a hardware key, not text messages. This one change closes the door that most of these incidents walk through, and it takes an afternoon you will never miss.
Set up billing and usage alerts on every account that can charge you, with a threshold low enough to wake you up. The reason a breach gets expensive is not that it happens; it is that it runs for days before anyone notices. The whole disaster I lived through was, underneath, a notification I never set up.
Stop sharing one login. Every person who touches your systems gets their own access, scoped to only what they need, so that when something goes wrong you can see who, and you can shut one door without locking everyone out. Shared credentials feel efficient until the day you cannot tell your own people apart from a stranger.
None of this is sophisticated. That is the point. The gap between me and the version of me who would have slept through that month was not expertise. It was three boring decisions I kept meaning to make and never did, because the business felt fine, right up until the morning it did not. Make them before you have your own number to stare at. You do not want to learn this the way I did.