Starbucks Devotees Find Their Apps Hacked

Photo: Courtesy Starbucks.
Here's your latest reminder not to ever, ever use a shoddy, easy-to-guess password: Starbucks app users are finding their bank accounts drained by password-guessing hackers.

Currently, the Starbucks app allows users to link their credit card, bank account, or Paypal account, and have it auto-refill their virtual "Starbucks card." It ensures that you can always use your phone to pay for your daily macchiato. Super convenient, right? However, Bob Sullivan first reported  that criminals who guess users' passwords can take advantage of this reload function, using it to buy hundreds of dollars of real life Starbucks cards in just a few minutes, which can then be sold on the black market. 

A Sugar Land, Texas man had $550 stolen this way through his Starbucks app, while an Orlando woman also saw over $100 disappear from her bank account via the app over the course of a few minutes. Once the hacker gains access to an account, they change the username, password, and email address associated with the account, leaving the victim unable to remove access to their mobile payment information in the app.

Starbucks quickly addressed the issue, and says that its systems are not at fault, but rather, users have made themselves vulnerable by using bad passwords. In a statement, Starbucks said:

News reports that the Starbucks mobile app has been hacked are false...Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks.

It's unclear how the hackers are gaining access to users' login information. It could be through brute force (repeatedly trying one password after another until they're granted access) or perhaps through phishing scams where users unwittingly share their account information with a criminal. In January, Starbucks did come under fire after researchers discovered a weakness with its app that could have compromised the account information of its 10 million customers. Starbucks immediately updated its apps to fix the bug.

If you use the Starbucks app — or any app for that matter — now's a good time to double-check you aren't using any of the popular passwords on this list. To make sure you're less vulnerable to this type of attack, make sure you don't reuse passwords, use two-factor authentication whenever possible, and use a password manager like 1Password to keep track of all those different passwords. After all, it would be really tragic to find yourself locked out of your own account when you're desperate for your morning coffee. 
Advertisement