Starbucks app compromised, hackers using auto-reload feature, weak passwords to siphon funds

Posted by:
Date: Friday, May 15th, 2015, 07:11
Category: Hack, News, Software


If you’re going to use the Starbucks mobile app, have a strong password behind it.

This seems to be what’s necessary as thieves have begun accessing users’ Starbucks mobile apps and siphoning money from their credit cards, bank and PayPal accounts. The Starbucks app, which ties into a rewards account, also lets you reload the account by automatically drawing off your bank account, credit card or PayPal account. Once a Starbucks account has been accessed, hackers can add a new gift card, transfer funds over and repeat the process every time the original card reloads.

In the case of Jean Obando, Obando had stopped by a Starbucks in Sugar Land, Texas and paid with his phone app. Then while driving on the highway, his phone chimed with a barrage of alerts. PayPal repeatedly notified him that his Starbucks card was being automatically reloaded with US$50.

Then came an email from Starbucks stating that “Your eGift Just Made Someone’s Day,” the email said. “It’s a great way to treat someone — whether it’s to say Happy Birthday, Thank you or just ‘this one’s on me.'”

Obando received 10 more notifications just like it in a space of five minutes.

Starbucks didn’t stop a single transaction or pause to ask Obando for secondary approval. All of them went through. When Obando told Starbucks he thought his account was hijacked, Starbucks promised to conduct a review. When Obando asked to stop the payments and refund his money, Starbucks told him to dispute the charges with PayPal.

It took Obando two weeks to get back his US$550.

“Now, I just pay with my credit card or cash,” he said. “I can’t trust Starbucks with my payment information anymore.”

Starbucks has stated that the company has not been hacked, and it didn’t lose customer data. The company said these account takeovers are likely due to weak customer passwords. Starbucks suggested that customers use unique, strong passwords.

Starbucks wouldn’t say if it’s adding new security measures to its system. But it promises customers will be reimbursed for any fraudulent charges.

This is the second time Starbucks’ payment system runs into security issues. Last year someone discovered the Starbucks app left passwords vulnerable, because it was storing them in plain text.
Because this is an issue with account access, the only way for customers to protect themselves is to create a strong password — and erase any payment methods attached to their Starbucks account. Disabling the auto-reload of money isn’t enough, as it can be reactivated within moments.

So, if you think your Starbucks mobile app password is a bit weaker than it could be, now might be the time to update it.

Via CNN Money

Recent Posts