The app, which lets users pay at checkout and reload Starbucks gift cards, has an auto-reload function that makes it easy for hackers to take from users, not needing any account numbers.
Consumer tech reporter Bob Sullivan was first to report the issue, noting any criminal who obtains username and password credentials to Starbucks.com can drain a consumer’s stored value, and attack their linked credit card.
Since the Starbucks app is so widely used, it’s likely the hackers obtained the username and password from another service through phishing emails and keyloggers and are successfully able to use it through the Starbucks app.
This could potentially be a big deal, too. Starbucks has revealed in the past that it’s processed $2 billion in mobile payment transactions, and about 1 in 6 transactions at Starbucks are conducted with the Starbucks app. A source told Sullivan that Starbucks has been aware of the issue since early 2015.
Starbucks states that there have been no breaches and no customer data has been shared. Right now, it seems like the best thing you can do is have a strong password and disable the auto-reload function within the Starbucks app.