Starbucks App Exploited by Fraudsters

Starbucks

What Happened?

A string of hacking incidents has put Starbucks mobile customers on high alert. Hackers have been locking users out of their mobile accounts before proceeding to fraudulently use any preloaded gift cards or saved credit card information for their personal gain.

These incidents are especially concerning for customers who use the “auto-refill” feature. When enabled, this feature allows hackers to continuously siphon money from a user’s bank account. Some customers using “auto-refill” have reported having their bank accounts drained of hundreds of dollars in a matter of minutes.

Independent journalist, Bob Sullivan, first reported the attack on May 11. Sullivan explained that this event should be taken seriously due to the potential size of the attack.

“The fraud is a big deal because Starbucks mobile payments are a big deal. Last year, Starbucks said it processed $2 billion in mobile payment transactions, and about 1 in 6 transactions at Starbucks are conducted with the Starbucks app.”

Cybersecurity experts suspect these rouge charges stem from poor password security. Many hackers will buy stolen login credentials, many stolen from data breaches, from online black markets and test them on other online accounts, such as the Starbucks mobile app. Seeing as 55% of web users reuse the same password for most of their online accounts, this is a very effective technique.

If you reuse passwords across multiple online accounts you should take preventive measures immediately.

What Should You Do?

1. Change your Starbucks password
Passwords should be unique, complex and long. Use non-dictionary words and include numbers and special characters. Never reuse passwords and change any passwords that may have been exposed in a data breach.

2. Disable “auto-refill”
While convenient, this feature is not worth the risk. If your app is ever compromised, auto-refill will provide the intruder with direct access to your bank account. Seeing as this is not the first cyber security faux pas associated with the Starbucks mobile app, it is wise to disable auto-refill.

3. Check your bank statement for inaccuracies
Review your bank account daily to detect any unfamiliar transaction. Contact your financial institution immediately if you notice any suspicious activity. Remember, fraud must be reported in a timely manner; otherwise you may be liable for the charges.

For more information on Data Breach and Scam News visit FightingIdentityCrimes.com.

The views and opinions expressed in this article are those of EZShield Inc. alone and do not necessarily reflect the opinions of any other person or entity, including specifically any person or entity affiliated with the distribution or display of this content.

John Burcham, Chief Privacy Officer at EZShield Fraud Protection
John Burcham is Corporate Counsel for EZShield. He is a Certified Compliance and Ethics Professional...
Read more about John Burcham.

3 Comments

  1. I’m so glad someone finally wrote about this. Several months back, I received a confirmation from Starbucks about a change of email address. (Luckily, they send the confirmation to both the old and new email address.) I saw the email within a few minutes of receiving it. I immediately called Starbucks while also trying to login to my account through my Starbucks app. I’m still not sure how my account was accessed since it was a unique password only used for Starbucks. The criminal changed the email address on the account, changed the password, loaded an extra $100 from the saved credit card, send a “gift” to someone for $100, then made a “purchase” for the entire amount on the Starbucks card. (I did not have it set to auto-load, but did have a credit card saved to the account to make reloads faster.) What I found suspicious was the fact that Starbucks claimed they couldn’t tell me how or where a purchase was done for the entire amount of the Starbucks card balance. I was out about $218, which Starbucks eventually refunded back to me when they issued me a new Starbucks card. I have my suspicions that Starbucks was actually hacked and login creditials stolen.

    Reply
  2. I’m so glad someone finally wrote about this. Several months back, I received a confirmation from Starbucks about a change of email address. (Luckily, they send the confirmation to both the old and new email address.) I saw the email within a few minutes of receiving it. I immediately called Starbucks while also trying to login to my account through my Starbucks app. I’m still not sure how my account was accessed since it was a unique password only used for Starbucks. The criminal changed the email address on the account, changed the password, loaded an extra $100 from the saved credit card, send a “gift” to someone for $100, then made a “purchase” for the entire amount on the Starbucks card. (I did not have it set to auto-load, but did have a credit card saved to the account to make reloads faster.) What I found suspicious was the fact that Starbucks claimed they couldn’t tell me how or where a purchase was done for the entire amount of the Starbucks card balance. I was out about $218, which Starbucks eventually refunded back to me when they issued me a new Starbucks card. I have my suspicions that Starbucks was actually hacked and login credentials stolen.

    Reply
    • Hi Jennifer, sorry for the very late reply (our website automatically mis-marked your comment as spam, I apologize for that). Thank you for sharing your story, it’s mind blowing how fast these fraudsters worked. We’re glad to hear everything has since been resolved.

      Reply

Leave a Comment.