Comment by cortesoft
1 day ago
I am really confused as to what happened here. The use of ‘disabled organization’ to refer to the author made it extra confusing.
I think I kind of have an idea what the author was doing, but not really.
1 day ago
I am really confused as to what happened here. The use of ‘disabled organization’ to refer to the author made it extra confusing.
I think I kind of have an idea what the author was doing, but not really.
Years ago I was involved in a service where we some times had to disable accounts for abusive behavior. I'm talking about obvious abusive behavior, akin to griefing other users.
Every once in while someone would take it personally and go on a social media rampage. The one thing I learned from being on the other side of this is that if someone seems like an unreliable narrator, they probably are. They know the company can't or won't reveal the true reason they were banned, so they're virtually free to tell any story they want.
There are so many things about this article that don't make sense:
> I'm glad this happened with this particular non-disabled-organization. Because if this by chance had happened with the other non-disabled-organization that also provides such tools... then I would be out of e-mail, photos, documents, and phone OS.
I can't even understand what they're trying to communicate. I guess they're referring to Google?
There is, without a doubt, more to this story than is being relayed.
"I'm glad this happened with Anthropic instead of Google, which provides Gemini, email, etc. or I would have been locked out of the actually important non-AI services as well."
Non-disabled organization = the first party provider
Disabled organization = me
I don't know why they're using these weird euphemisms or ironic monikers, but that's what they mean.
Because they bought a claude subscription on a personal account and the error message said that they belongs to a "disabled organization" (probably leaking some implementation details).
7 replies →
Is it? It sounded to me like they're still using the other Claude instance (Claude B, using their terminology in the article). I could be wrong though, which I guess would just be more evidence that they were more confusing in their phrasing than they needed to be.
No, "another non-disabled organization" sounds like they used the account of someone else, or sockpuppet to craft the response. He was using "organization" to refer to himself earlier in the post, so it doesn't make sense to use that to refer to another model provider.
6 replies →
He used “organization” because that’s what Anthropic called him, despite the fact he is a person and not an “organization”.
2 replies →
Tangential but you reminded me of why I don't give feedback to people I interview. It's a huge risk and you have very low benefit.
It once happened to me to interview a developer who's had a 20-something long list of "skills" and technologies he worked with.
I tried basic questions on different topics but the candidate would kinda default to "haven't touched it in a while", "we didn't use that feature". Tried general software design questions, asking about problems he solved, his preferences on the way of working, consistently felt like he didn't have much to argue, if he did at all.
Long story short, I sent a feedback email the day later saying that we had issues evaluating him properly, suggested to trim his CV with topics he liked more to talk about instead of risking being asked about stuff he no longer remembered much. And finally I suggested to always come prepared with insights of software or human problems he solved as they can tell a lot about how he works because it's a very common question in pretty much all interview processes.
God forbid, he threw the biggest tantrum on a career subreddit and linkedin, cherrypicking some of my sentences and accusing my company and me to be looking for the impossible candidate, that we were looking for a team and not a developer, and yada yada yada. And you know the internet how quickly it bandwagons for (fake) stories of injustice and bad companies.
It then became obvious to me why corporate lingo uses corporate lingo and rarely gives real feedback. Even though I had nothing but good experience with 99 other candidates who appreciated getting proper feedback, one made sure I will never expose myself to something like that ever again.
I had a somewhat similar experience. For one particular position we were interviewing a lot of junior and recent grad developers. Since so many of the applicants were relatively new to the game, they were almost all (99% I'd guess) extremely grateful for the honest feedback. We even had candidates asked to stay in contact with us and routinely got emails from them months or years down the road thinking us for our feedback and mentorship. It took a lot of extra time from us that could have been applied to our work, but we felt so good about being able to do that for people that it was worth it to us.
Then a lawsuit happened. One of the candidates cherry-picked some of our feedback and straight up made up some stuff that was never said, and went on a social media tirade. After typical internet outrage culture took over, The candidate decided to lawyer up and sue us, claiming discrimination. The case against us was so laughably bad that if you didn't know whether it was real or not, you could very reasonably assume this was a satire piece. Our company lawyer took a look at it, and immediately told us that it was clearly intended to get to some settlement, and never actually see any real challenge. The lawyer for the candidate even admitted as much when we met with them. Our company lawyer pushed hard to get things into arbitration, but the opposing did everything they could to escalate up the chain to someone who would just settle with them.
Well, it worked. Company management decided to just settle with a non-disparagement clause. They also came down with a policy of not allowing software engineers to talk directly with candidates other than during interviews when asking questions directly. We also had to have an HR person in the room for every interview after that. We had to 180 and become people who don't provide any feedback at all. We ended up printing a banner that said no good deed goes unpunished and hung it in our offices.
The person you interview isn't paying you.
The farm of servers that decided by probably some vibe-coded mess to ban account is actively being paid for by customer that banned it.
Like, there is some reasons to not disclose much to free users like making people trying to get around limits have more work etc. but that's (well) paid user, the least they deserve is a reason, and any system like that should probably throw a warning first anyway.
I wonder if there needs to be an "NDA for feedback"... or at least a "non-disparagement agreement".
Something along the lines of "here's the contract, we give you feedback, you don't make it public [is some sharing ok? e.g. if they want to ask their life coach or similar], if you make it public the penalty is $10000 [no need to be crazy punitive], and if you make it public you agree we can release our notes about you in response."
(Looking forward to the NALs responding why this is terrible.)
1 reply →
Had a similar experience, like 20 years ago. This somehow made me remember his name - so I just checked out what he's been up to professionally. It seems quite boring, "basic" and expected. He certainly didn't reach what he was shooting for.
So there's that :).
The excerpt you don’t understand is saying that if it has been Google rather than Anthropic, the blast radius of the no-explanation account nuking would have been much greater.
It’s written deliberately elliptically for humorous effect (which, sure, will probably fall flat for a lot of people), but the reference is unmistakable.
If company bans you for a reason they are not going to disclose, they deserve all of the bad PR they get from it.
> Years ago I was involved in a service where we some times had to disable accounts for abusive behavior. I'm talking about obvious abusive behavior, akin to griefing other users.
But this isn't service where you can "grief other users". So that reason doesn't apply. It's purely "just providing a service" so only reason to be outright banned (not just rate limited) is if they were trying to hack the provider, and frankly "the vibe coded system misbehaving" is far more likely cause.
> Every once in while someone would take it personally and go on a social media rampage. They know the company can't or won't reveal the true reason they were banned, so they're virtually free to tell any story they want.
The company chose to arbitrarily some rules vaguely related to the ToS that they signed and decided that giving a warning is too much work, then banned their account without actually saying what was the problem. They deserve every bit of bad PR.
>> I'm glad this happened with this particular non-disabled-organization. Because if this by chance had happened with the other non-disabled-organization that also provides such tools... then I would be out of e-mail, photos, documents, and phone OS.
> I can't even understand what they're trying to communicate. I guess they're referring to Google?
They are saying getting banned with no appeal, warning, or reason given from service that is more important to their daily lives would be terrible, whether that's google or microsoft set of service or any other.
> I'm talking about obvious abusive behavior, akin to griefing other users
Right, but we're talking about a private isolated AI account. There is no sense of social interaction, collaboration, shared spaces, shared behaviors... Nothing. How can you have such an analogue here?
Plenty of reasons: Abusing private APIs, using false info to sign up (attempts to circumvent local regulations), etc.
1 reply →
Attempting to coerce Claude to provide instructions to build a bomb
4 replies →
You're not alone.
I think the author was doing some sort of circular prompt injection between two instances of Claude? The author claims "I'm just scaffolding a project" but that doesn't appear to be the case, or what resulted in the ban...
One Claude agent told other Claude agent via CLAUDE.md to do things certain way.
The way Claude did it triggered the ban - i.e. it used all caps which apparently triggers some kind of internal alert, Anthropic probably has some safeguards to prevent hacking/prompt injection and what the first Claude did to CLAUDE.md triggered this safeguard.
And it doesn't look like it was a proper use of the safeguard, they banned for no good reason.
The author code have easily shared the last version of Claude.md that had the all caps or whatever, but didn't. Points to something fishy in my mind.
They did.
>If you want to take a look at the CLAUDE.md that Claude A was making Claude B run with, I commited it and it is available here.
https://github.com/HugoDaniel/boreDOM/blob/9a0802af16f5a1ff1...
The whole thing reads like LLM psychosis.
This tracks with Anthropic, they are actively hostile to security researchers.
I suspeect that having Claudes talking to Claudes is a very bad idea from Anthropic's point of view because that could easily consume a ton of resources doing nothing useful.
It wasn’t circular. TFA explains how the author was always in the loop. He had one Claude instance rewrite the CLAUDE.MD of another Claude instance whenever the second one made a mistake, but relaying the mistake to the first instance (after recognizing it in the first place) was done manually by the author.
i have no idea what he was actually doing either, and what exactly is it one isnt allowed to use claude to do?
What is wrong with circular prompt injection?
The "disabled organization" looks like a sarcastic comment on the crappy error code the author got when banned.
> What is wrong with circular prompt injection?
That you might be trying to jailbreak Claude and Anthropic does not like that (I'm not endorsing, just trying to understand).
Author really comes off unhinged throughout the article to be frank.
My take was more a kind of amusing laughing-through-frustration but also enjoying the ride just a little bit insouciance. Tastes vary of course, but I enjoyed the author's tone and pacing.
Did we read the same article? The author comes of as pretty frustrated but not unhinged
7 replies →
Author thinks he's cute to do things like mention Google without typing Google but I wouldn't call him unhinged.
The author was using instance A of Claude to update a `claude.md` while another instance B of Claude was consuming that file. When Claude B did something wrong, the author asked Claude A to update the `claude.md` so that Claude B didn’t make the same mistake again
More likely explanation: Their account was closed for some other reason, but it went into effect as they were trying this. They assumed the last thing they were doing triggered the ban.
This 100%. I'm not sure why the author as well as so many in the thread are assuming a ToS ban was literally instant and had to be due to what the author was doing in that moment. Could have been for something the author did hours, days, or weeks ago. There would be no way to know.
1 reply →
They were probably using an unapproved harness, which are now banned.
This does sound sus. I have CC update other project's claude.md files all the time. I've got a game engine that I'm tinkering with. The engine and each of the game concepts I play around with have their own claude.md. The purpose of writing the games is to enhance the engine, so the games have to be familiar with the engine and often engine features come from the game CC rather than the engine CC. To keep the engine CC from becoming "lost" about features implemented each game project has instructions to update the engine's claude.md when adding / updating features. The engine CC bootstraps new game projects with a claude.md file instructing it how to keep the engine in sync with game changes as well as details of what that particular game is designed to test or implement within the engine. All sorts of projects writing to other project's claude.md files.
I don't understand how having two separate instances of Claude helps here. I can understand using multiple Claude instances to work in parallel but in this case, it seems all this process is linear...
The point is to get better prompt corrections by not sharing the same context.
If you look at the code it will be obvious. Imagine I’m the creator of React. When someone does “create new app” I want to put a Claude.md in the dir so that they can get started easily.
I want this Claude.md to be useful. What is the natural solution to me?
6 replies →
Which shouldn't be bannable imo. Rate throttle is a more reasonable response. But Anthropic didn't reply to the author, so we don't even know if it's the real reason they got banned.
>if it's the real reason they got banned.
I mean, what a country should do it put a law in effect. If you ban a user, the user can submit a request with their government issued ID and you must give an exact reason why they were banned. The company can keep this record in encrypted form for 10 years.
Failure to give the exact reason will lead to a $100,000 fine for the first offense and increase from there up to suspension of operations privileges in said country.
"But, but, but hackers/spammers will abuse this". For one, boo fucking hoo. For two, just add to the bill "Fraudulent use of law to bypass system restrictions is a criminal offense".
This puts companies in a position where they must be able to justify their actual actions, and it also puts scammers at risk if they abuse the system.
4 replies →
When a company won't tell you what you did wrong, you should be free to take the least charitable interpretation towards the company. If it was more charitable, they'd tell you.
Is it possible that this was flagged as account-sharing, leading to the ban?
I often ask Claude to update Claude.md and skills..... and sometimes I'll just do that in a new window while my main window is busy and I have time.
Wonder if this is close to triggering a warning? I only ever run in the same codebase, so maybe ok?
Normally you can customize the agents behavior via a CLAUDE.md file. OP automated that process by having another agent customize the first agent. The customizer agent got pushy, the customized agent got offended, OP got banned.
My rudimentary guess is this. When you write in all caps, it triggers sort of a alert at Anthropic, especially as an attempt to hijack system prompt. When one claude was writing to other, it resorted to all caps, which triggered the alert, and then the context was instructing the model to do something (which likely would be similar to a prompt injection attack) and that triggered the ban. not just caps part, but that in combination of trying to change the system characteristics of claude. OP does not know much better because it seems he wasn't closely watching what claude was writing to other file.
if this is true, the learning is opus 4.5 can hijack system prompts of other models.
> When you write in all caps, it triggers sort of a alert at Anthropic
I find this confusing. Why would writing in all caps trigger an alert? What danger does caps incur? Does writing in caps make a prompt injection more likely to succeed?
from what i know, it used to be that if you want to assertively instruct, you used all caps. I don't know if it succeeds today. I still see prompts where certain words are capitalized to ensure model pays attention. What i mean was not just capitalization, but a combination of both capitalization and changing the behavior of the model for trying to get it to do something.
if you were to design a system to prevent prompt injections and one of surefire ways is to repeatedly give instructions in caps, you would have systems dealing with it. And with instructions to change behavior, it cascades.
Many jailbreaks use allcaps
Wait what? Really? All caps is a bannable offense? That should be in all caps, pardon me, in the terms of use if that's the case. Even more so since there's no support at the highest price point.
Its a combination. All caps is used in prompts for extra insistence, and has been common in cases of prompt hijacking. OP was doing it in combination with attempting to direct claude a certain way, multiple times, which might have looked similar to attempting to bypass teh system prompt.
1 reply →
Agreed, I found this rather incoherent and seeming to depend on knowing a lot more about author's project/background.
I had to read it twice as well, I was so confused hah. I’m still confused
They probably organize individual accounts the same as organization accounts for larger groups of users at the same company internally since it all rolls up to one billing. That's my first pass guess at least.
> I think I kind of have an idea what the author was doing, but not really.
Me neither; However, just like the rest I can only speculate (given the available information): I guess the following pieces provide a hint what's really going on here:
- "The quine is the quine" (one of the sub-headline of the article) and the meaning of the word "quine".
- Author's "scaffolding" tool which, once finished, had acquired the "knowledge"[1] how to add a CLAUDE.md baked instructions for a particular homemade framework (he's working on).
- Anthropic saying something like: no, stop; you cannot "copy"[1] Claude knowledge no matter how "non-serious" your scaffolding tool or your use-case is: as it might "shows", other Claude users, that there's a way to do similar things, maybe that time, for more "serious" tools.
---
[1]. Excerpt from the Author's blog post: "I would love to see the face of that AI (Claude AI system backend) when it saw its own 'system prompt' language being echoed back to it (from Author's scaffolding tool: assuming it's complete and fully-functional at that time)."
From reading the whole thing, it kind of seems clickbaity. Yes, they're the only user in the "organization" that got banned, but they apparently still are using the other "organization" without issue, so they as a human are not banned. There's certainly a valid complaint to be made about the lack of recourse or customer service response for the automated ban, but it almost seems like they intentionally were trying to be misleading by implying that since they were the only member of the organization, they were banned from using Claude.
You are confused because the message from Claude is confusing. Author is not an organization, they had an account with anthropic which got disabled and Anthropic addressed them as organization.
> Author is not an organization, they had an account with anthropic which got disabled and Anthropic addressed them as organization.
Anthropic accounts are always associated with an organization; for personal accounts the Organization and User name are identical. If you have an Anthropic API account, you can verify this in the Settings pane of the Dashboard (or even just look at the profile button which shows the org and account name.)
I've always kind of hated that anti-pattern in other software I use for peronal/hobby purposes, too. "What is your company name? [required]" I don't have a company! I'm just playing around with your tool on my own! I'm not an organization!
Yeah, I couldn't follow this "disabled organization" and "non-disabled organization" naming either.
Yeah, referring to yourself once as a "disabled organisation" is a good bit, referencing anthropics silly terminology. Keeping it for the duration made this a very hard follow
Sounds like author of the post might have needed an AI to review and fix his convoluted writing. Maybe even two AIs!
On the contrary I enjoyed this human touch in the text.
Right. This is almost unreadable. There are words, but the author seems to be too far down a rabbit hole to communicate the problem properly…
Sounds like OP has multiple org accounts with Anthropic.
The main one in the story (disabled) is banned because iterating on claude.md files looks a lot like iterating on prompt injections, especially as it sounds the multiple Claude's got into it with each other a bit
The other org sounds like the primary account with all the important stuff. Good on OP for doing this work in a separate org, a good recommendation across a lot of vendors and products.
You and me, brother. The writing is unnecessarily convoluted.
I think you missed the joke: he isn't an organization at all, but the error message claims he is.