If you use the Starbucks app to pay for your morning coffee, you might want to check your bank account. And then strengthen your password.
After reports emerged saying hackers had gained access to user accounts and used its app to siphon money away from unsuspecting customers, Starbucks has hit back, saying that these reports are false.
Blogger Bob Sullivan first reported the issue, telling the stories of multiple victims. What these “hackers” are doing is accessing a Starbucks customer’s account, using the balance to buy a gift card, and waiting for the app to auto-load more money onto the card. This way, they can draw funds directly from someone’s bank account or PayPal account.
From Bob Sullivan:
Maria Nistri, 48, was a victim this week. Criminals stole the Orlando women’s $34.77 in value she had loaded onto her Starbucks app, then another $25 after it was auto-loaded into her card because her balance hit 0. Then, the criminals upped the ante, changing her auto reload amount to $75, and stealing that amount, too. All within 7 minutes.
CNN confirmed that this was happening to other people:
It happened to Jean Obando on the Saturday evening of December 7. He had just stopped by a Starbucks in Sugar Land, Texas and paid with his phone app. Then while driving on the highway, his phone chimed with a barrage of alerts. PayPal repeatedly notified him that his Starbucks card was being automatically reloaded with $50.
Then came the email from Starbucks.
“Your eGift Just Made Someone’s Day,” the email said. “It’s a great way to treat someone — whether it’s to say Happy Birthday, Thank you or just ‘this one’s on me.'”
He got 10 more just like it — in just five minutes.
Sounds bad. And it is. But according to Starbucks – this isn’t a hack. This is simply bad password practices.
“Like all major retailers, the company has safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions. To protect the integrity of these security measures, Starbucks will not disclose specific details but can assure customers their security is incredibly important and all concerns related to customer security are taken seriously,” said Starbucks.
“Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.”
Starbucks is right in that your passwords do suck. But the company can do more to help prevent this sort of scheme (two-step authentication wouldn’t fix everything but could help). Also, Starbucks doesn’t have a perfect record when it comes to app security.
Image via Starbucks