Follow us today...
A Reddit user, dgro636, watched $18 disappear from their EVgo account in real-time as a charging session for an unknown vehicle commenced, despite their F-150 Lightning being parked safely in their driveway. The notification, "Your EVgo charging session has started," arrived while dgro636 was home, nowhere near a charging station. This wasn't a simple billing error; it was an active, unauthorized session on their dime. The core problem is a fundamental security flaw in EVgo's Autocharge+ system, not merely a mischarge.
The integrity of the entire charging ecosystem is at stake, beyond just the $18 charge. When a charging network cannot secure its payment systems against unauthorized use, it erodes the trust essential for widespread EV adoption. The convenience of Autocharge+ becomes a liability, exposing customers to financial risk and the frustration of battling a system designed to protect itself, not its users.
EVgo's Autocharge+ system is fundamentally insecure, allowing unauthorized charges and failing to protect customer accounts or payment information.
“Got a notification this morning: 'Your EVgo charging session has started.”
Cool, except I was at home. And so was my car. And I was nowhere near an EVgo station.
Someone else somehow started a charge using my account and my payment method, and I got to sit on hold watching $18 disappear in real time like it was a Twitch stream.
Customer service stopped the session and promised a refund.
EVgo’s follow‑up?
“No refund. It was your Autocharge+ vehicle ID.”
My car: parked.
Me: home.
EVgo: “Sounds like a you problem.”
No two‑factor authentication.
No way to stop the session in the app.
No way to remove my payment method.
No explanation for how a stranger hijacked my account.
And they refused to delete my account when I asked.
Just… chef’s kiss levels of corporate nonsense.
For anyone following my original post, here’s the latest.
EVgo finally responded to me, and their message confirms exactly what you all suspected: the MAC ID that triggered the unauthorized charge is associated with another account. My truck was at home, and the vehicle they’re talking about isn’t — and never was — mine.
Here’s their reply, word for word:
**“Our development team has completed its review of the MAC ID and confirmed that it is currently associated with another account.
To proceed with our investigation, could you please provide the VIN that was originally linked to your account so we may document it accordingly?”**
I’ve asked them the following (and yes, Copilot helped me come up with these):
• How a MAC ID associated with another customer’s account was able to initiate a charge on mine.
• Whether EVgo considers this a security breach.
• What steps EVgo is taking to prevent this from happening again, including the ability to freeze accounts, remove payment methods, and require stronger authentication.
Updates to follow…”
The initial response from EVgo's customer service, blaming dgro636's "Autocharge+ vehicle ID" and refusing a refund, is a textbook example of a company deflecting responsibility rather than addressing a clear system failure. It's an infuriating stance that forces the customer to prove their innocence against a system that demonstrably failed.
EVgo Autocharge+: Security Concerns and System Flaws
- Autocharge+ relies on vehicle identifiers: This system often uses MAC addresses or other vehicle-specific data to automatically initiate charging sessions and bill the associated account. Unlike Plug & Charge (ISO 15118), it lacks the robust, encrypted digital certificates for authentication.
- Unauthorized charges and account misassociations: Instances like dgro636's reveal that vehicle identifiers can be incorrectly linked to customer accounts, leading to charges for sessions not initiated by the account holder. This shows potential database integrity issues or vulnerabilities in the pairing process.
- Lack of user control and security features: EVgo's platform reportedly lacks critical security features such as two-factor authentication, the ability to stop an active charging session via the app, or the option to easily remove payment methods. This leaves users vulnerable to unauthorized activity with limited recourse.
- Customer service and refund challenges: When unauthorized charges occur, customers face significant hurdles in obtaining refunds, with EVgo initially blaming the user's "Autocharge+ vehicle ID" even when the vehicle was not present. This indicates a policy that prioritizes system protection over customer satisfaction.
The fact that the F-150 Lightning Owner couldn't stop the session, remove payment, or even delete their account shows a severe lack of user control and account security features that should be standard in any financial transaction platform. This is not merely an inconvenience; it is a direct assault on consumer trust and financial security.
Reddit user u/jpmeyer12751, commenting on the situation, cut straight to the heart of the matter:
If EVGo's system is debiting MY credit card when some other person charges THEIR car, I would consider that to be a security breach. I wouldn't really care whether the cause was a software error or something nefarious. Any charge to a credit card that is not authorized by the cardholder is a security breach, in my opinion.
Jpmeyer12751 is absolutely correct. Whether the cause is malicious intent or a simple database error, an unauthorized charge to a payment method is, by definition, a security breach. The distinction EVgo attempts to draw between a "security breach" and a "system error" is irrelevant to the customer whose money is being taken. The company's internal classification does not negate the financial and personal security implications for the user. This is where the industry's technical definitions often diverge from the real-world impact on consumers, and the latter is what truly matters.
The second, more detailed response from EVgo, confirming that "the MAC ID that triggered the unauthorized charge is associated with another account," only deepens the problem. It confirms that a MAC ID, ostensibly unique to a vehicle, was somehow cross-linked to a different customer's payment account. This is not a "you problem," as EVgo initially claimed; it's a catastrophic database integrity issue or a fundamental flaw in their Autocharge+ pairing process. The company's request for dgro636's VIN to "document it accordingly" feels less like an investigation and more like an attempt to gather data to patch a symptom rather than cure the disease.
This is where the pattern becomes clear. Reddit user u/dustyshades, who owns a Mach E, R1S, and Bolt, and is a top 1% commenter, highlighted this exact vulnerability:
Yeah, that’s the problem with EVGo’s auto charge implementation. It’s not actually secure like the plug and charge standard. It’s exactly why I haven’t set up auto charge myself (and never will).
Dustyshades's comment reveals a critical distinction: EVgo's Autocharge+ is not the industry-standard Plug & Charge. Plug & Charge, based on ISO 15118, uses encrypted digital certificates exchanged directly between the vehicle and the charging station, providing robust, secure authentication. Autocharge+, by contrast, often relies on less secure methods like MAC addresses or other vehicle identifiers, which are more susceptible to spoofing, misassociation, or database errors. The fact that a seasoned EV owner actively avoids Autocharge+ due to security concerns should be a blaring siren for EVgo.
The fundamental issue is that EVgo has implemented a convenience feature without the underlying security architecture to support it in the case of this Lightning owner. The lack of two-factor authentication, the inability to stop a session in-app, and the refusal to allow account deletion are not oversights; they are systemic failures that prioritize a simplified user experience over essential security protocols. This creates an environment ripe for exploitation, whether accidental or malicious. Until EVgo addresses these foundational security gaps, its Autocharge+ system remains a liability for its customers.
EVgo's handling of dgro636's unauthorized charge is a stark indictment of its account security and customer service policies. The company's initial denial, followed by a confirmation of a MAC ID misassociation, reveals a system that is both technically flawed and administratively unresponsive. This is a glaring vulnerability in the infrastructure meant to power the electric F-150 revolution. Until EVgo implements robust security measures like two-factor authentication, offers immediate in-app control over charging sessions, and provides transparent recourse for billing errors, its Autocharge+ system cannot be trusted.
Image Sources: Ford Media Center
About The Author
Noah Washington is an automotive journalist based in Atlanta, Georgia, covering sports cars, luxury vehicles, and performance culture. His reporting focuses on explaining the engineering, design philosophy, and real-world ownership experience behind modern vehicles.
Noah has been immersed in the automotive world since his early teens, attending industry events and following the enthusiast communities that shape how cars are built and driven today. His work blends industry insight with enthusiastic storytelling, helping readers understand not just what a car is, but why it matters.
Noah is also a member of the Southeast Automotive Media Association (SAMA), a professional organization for automotive journalists and industry media in the Southeast.
His coverage regularly explores sports cars, luxury vehicles, and performance-driven segments of the automotive industry, including the evolving culture surrounding Formula Drift and enthusiast builds.
Read more of Noah's work on his author profile page.
You can also follow Noah here:
Set Torque News as Preferred Source on Google
Follow us today...
