Starbucks (iPhone app, teaser 004)

Hackers are stealing money from users’ credit cards, banks, and PayPal accounts through the Starbucks mobile app, the coffee giant confirmed to CNN on Tuesday.

The app, which lets users pay at checkout and reload Starbucks gift cards, has an auto-reload function that makes it easy for hackers to take from users, not needing any account numbers.

Consumer tech reporter Bob Sullivan was first to report the issue, noting any criminal who obtains username and password credentials to Starbucks.com can drain a consumer’s stored value, and attack their linked credit card.

Since the Starbucks app is so widely used, it’s likely the hackers obtained the username and password from another service through phishing emails and keyloggers and are successfully able to use it through the Starbucks app.

This could potentially be a big deal, too. Starbucks has revealed in the past that it’s processed $2 billion in mobile payment transactions, and about 1 in 6 transactions at Starbucks are conducted with the Starbucks app. A source told Sullivan that Starbucks has been aware of the issue since early 2015.

Starbucks states that there have been no breaches and no customer data has been shared. Right now, it seems like the best thing you can do is have a strong password and disable the auto-reload function within the Starbucks app.

Source: CNN via Bob Sullivan

  • Joshua The-Legend Wiebe

    The next update for the Starbucks app should include Touch ID compatibility.

    • pegger1

      That won’t help if someone has your Starbucks user ID and password. The hackers here aren’t using your actual phone.

      • Joshua The-Legend Wiebe

        Sure Touch ID would help, it would be a virtual tokenization for the Starbucks app, the fingerprint you insert would enter an encrypted/complex password instead of a password thats easy to guess with letters and numbers.

      • pegger1

        That would only be for purchases with your phone. Your Starbucks account still needs a user ID and password. Which the hacker can use online and transfer funds out to another Starbucks card, and repeat continuosly as it autoreloads.

      • Joshua The-Legend Wiebe

        *auto-reload

  • m1n1cooper

    If Starbucks have know about this since early 2015 why have they done nothing about it that is the question people should be asking

    • pegger1

      What would you like them to do? This isn’t a Starbucks issue.
      If you give away your id and password, how can Starbucks stop that?
      That’s the same for any login anywhere.

      • m1n1cooper

        They have know about the issue and could of told customers about it also they could remove the auto-reload feature which should help

      • thunderqus

        You are correct its not their issue, but they can step up and protect their innocent customers, cant they?

        They can introduce the limit for the day under settings or in accounts, which will easily prevent this fraud and bring the customer’s attention to the problem, which customer’s can rectify by changing their passwords.

      • They could perhaps tell people their account has been accessed by someone else for example every time you log on to the iCloud website you get an email sent to you telling you this. I’ve added the address to my VIP so if anyone accesses iCloud without me knowing I’ll know pretty quickly and hopefully be able to recover my account.

      • Jackson Grong

        Nobody cares about your account and nobody will steal your login lol, unless you are a celebrity.
        As long as you have a strong password and you keep it safe, you’re good.

      • While the majority of what you’ve said is true I’m sure many people get hacked each year and not all due to a lack of a strong password. For example if I had a key logger installed on my system someone could gather passwords and then use these passwords without me knowing. Starbucks has a duty let people know when their accounts have been breached and rubbish security doesn’t excuse this duty.

      • Jackson Grong

        Why the hell would you have a key logger installed? If you are really that paranoid get an Antivirus program. Other than that stop getting fatter and eating your feeling, delete the Starbucks account!

      • Why would I have a key logger installed? I don’t know perhaps I fell for a phishing scam? As for your Antivirus suggestion that’s good advice and all but they can’t and won’t detect all threats. It’s the customers job to ensure their account is secure and it’s the operators job (in this case Starbucks) to ensure that access is monitored and customers that have their account breached are notified.

  • 919263

    Just the beginning…..All this Apple Pay crap is going to hit the fan pretty soon….

    • BooBee

      Nah, Apple Pay is iron clad! That tech is solid but maybe I have too much faith in Apple although they have proven to have the best security so far with fewest hiccups.

      • 919263

        Anything software based/NFC is not safe. The only way to keep it safe is to be one step ahead of hackers all the time, but in this cat and mouse game, sometimes the cat cant keep up. ONE hiccup is all it takes

      • BooBee

        What’s unique about Apple Pay is that our credit cards are not transmitted when we make that NFC connection. Randomly generated “keys” are sent so if hacks compromise retailer credit databases hackers get useless numbers. That’s what makes Apple Pay so amazing.

        I agree, eventually everything is hackable with enough determination but with Google pay alternatives that do transmit credit card numbers those are easier targets.

      • socrates

        More people need to understand that Apple Pay is not standard NFC as you described. It’s probably the most secure mobile payment form out there.

      • BooBee

        Agreed! It’s tech is currently state of the art and hacks will go after the easier targets like Samsung Pay, Google Pay, etc.

  • Tommy

    Here’s an idea. Why not just use cash

    • Same thing I was thinking. Guess I haven’t jumped on the bandwagon of mobile payments. Paying with cash is always going to be the easiest form of payment IMO

  • Buck E. Fush

    When your stealing $5 a day it flys under the radar.