[URGENT] Critical Billing Loophole, Widespread Abuse, and Massive Resale of Cursor Edu Partner Benefits

Support Bug Reports
,
1

Hi Cursor Team,

I am writing to report a severe and widespread abuse of the Cursor Edu Partner program (which offers 6 months of free Pro+ for students at universities like Stanford, CMU, etc.).

It has come to my attention that a large number of users are actively exploiting loopholes via packet sniffing and parameter manipulation to fraudulently obtain high-tier subscriptions for free. Furthermore, an underground market has already emerged where these bad actors are massively reselling these fraudulently obtained premium accounts at 70% to 80% of your official retail price.

Here are the specific methods currently being used to exploit the system:

1. Email Alias Abuse Some universities allow students to create multiple email aliases for a single account. Bad actors are using this feature to register numerous Cursor accounts under different aliases, hoarding the 6-month free Pro+ benefit to generate inventory for resale.

2. Bypassing Domain Restrictions via Request Manipulation By capturing and modifying network requests during the registration/checkout process, users are bypassing the .edu domain validation. This allows them to apply the educational benefit to completely unrelated, standard email addresses (such as Outlook or Gmail accounts).

3. Stripe Promo Code Misconfiguration (The Most Critical Issue) The promo code applied during the Stripe checkout seems to be configured as an unconditional “100% OFF” discount. Users have realized that by manipulating the subscription type payload during checkout, they can apply this 100% discount to other, much more expensive subscription tiers. For example, people are successfully securing Ultra Annual and Pro+ Annual subscriptions entirely for free.

Below, I have attached several screenshots circulated by these resellers showing successful zero-dollar checkouts for annual plans and their sales advertisements. This exploit has already caused large-scale financial damage.

image
image760×535 21.4 KB

image
image872×769 52.7 KB

image
image902×779 57.9 KB

I highly recommend that your engineering and billing teams immediately take the following actions:

  • Correct the Stripe promo code configuration so it is strictly locked to the specific 6-month monthly Pro+ plan.

  • Implement strict server-side validation for the email domain during the checkout process.

  • Integrate a robust third-party verification service like SheerID (preferably requiring video verification or document uploads) to strictly authenticate genuine student status and stop alias abuse.

  • Audit recent zero-dollar transactions and revoke the illegally acquired subscriptions.

Hope this major loophole gets patched as soon as possible before more damage is done!

Best regards,

Fin Tagg

2

Hi there!

We detected that this may be a bug report, so we’ve moved your post to the Bug Reports category.

To help us investigate and fix this faster, could you edit your original post to include the details from the template below?

Bug Report Template - Click to expand

Where does the bug appear (feature/product)?

  • Cursor IDE
  • Cursor CLI
  • Background Agent (GitHub, Slack, Web, Linear)
  • BugBot
  • Somewhere else…

Describe the Bug
A clear and concise description of what the bug is.

Steps to Reproduce
How can you reproduce this bug? We have a much better chance at fixing issues if we can reproduce them!

Expected Behavior
What is meant to happen here that isn’t working correctly?

Screenshots / Screen Recordings
If applicable, attach images or videos (.jpg, .png, .gif, .mp4, .mov)

Operating System

  • Windows 10/11
  • MacOS
  • Linux

Version Information

  • For Cursor IDE: Menu → About Cursor → Copy
  • For Cursor CLI: Run agent about in your terminal
IDE:
Version: 2.xx.x
VSCode Version: 1.105.1
Commit: ......

CLI:
CLI Version 2026.01.17-d239e66

For AI issues: which model did you use?
Model name (e.g., Sonnet 4, Tab…)

For AI issues: add Request ID with privacy disabled
Request ID: f9a7046a-279b-47e5-ab48-6e8dc12daba1
For Background Agent issues, also post the ID: bc-…

Additional Information
Add any other context about the problem here.

Does this stop you from using Cursor?

  • Yes - Cursor is unusable
  • Sometimes - I can sometimes use Cursor
  • No - Cursor works, but with this issue

The more details you provide, the easier it is for us to reproduce and fix the issue. Thanks!

4

fetch(“https://cursor.com/api/dashboard/activate-promotion”, {
method: “POST”,
headers: {
“Content-Type”: “application/json”,
},
credentials: “include”,
body: JSON.stringify({
promoTypeId: “”
}),
})

10

Hi @Fin_Tagg

Thanks for reporting! I’ve passed your message along internally. I’ve also hidden this post, to not expose any potential issues while we investigate.