Coffee-Lovers Beware – Cybercriminals Could Have Hacked Your Starbucks Account

starbucks store

Starbucks customer accounts hacked through smartphone apps, report claims

If you’re feeling in need of a caffeine-fuelled pick-me-up, it might be wise not to head to Starbucks, as research has found hackers have managed to compromise users using their loyalty accounts.

Thousands of Starbucks mobile app users found they were out of pocket after receiving emails saying that their passwords and login details had been reset.

starbucks-account ©bob sullivanShaky

The culprit appears to be the app itself, largely thanks to Starbucks’ auto-reload function, which tops up reward cards automatically each week or month using a linked credit card account.

These were then compromised by the hackers, who were able to access these transactions to discover the details of the payment cards linked to them, meaning hundreds of dollars were stolen in a matter of minutes.

One victim saw her original balance of $34.77 stolen, before it auto-updated with $25 and then again with a further $75 after the hackers changed the auto top-up amount – all within seven minutes.

The hack was uncovered by security researcher Bob Sullivan, who advises all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards.

However, it appears to only be affecting US customers at the moment, with Starbucks saying it had not seen any similar activity in the UK or Europe.

“We take the obligation to protect customers’ information seriously and have safeguards in place to constantly monitor for fraudulent activity, working closely with financial institutions like all major retailers. For obvious reasons, we are unable to discuss specific security measures. Our customers’ security is incredibly important to us and we take all these concerns seriously.”


Interestingly, the company has said that neither its smartphone apps nor its systems have been breached, meaning that hackers could be using login details or credentials stolen in separate attacks – possibly the major Target data breach of last year.

As many of us still use only one set of password and login details, hackers who gains control of one set of credentials often try a ‘brute-force’ attack across a wide variety of sites, hoping for some success.

But the hack also underscores the need for companies to protect all of the sensitive information they hold on their customers, says Brendan Rizzo, technical director EMEA, HP Security Voltage.

“Criminals are always looking for a way to exploit a system in a way that they can then turn into cold hard cash,” he told TechWeekEurope. “In this case, there is a further risk in that the app stores and displays personal information about the user such as their name, full address, phone number and email address.  Criminals could then use this information or sell it on for use in more targeted larger-scale spear-phishing or identity theft attacks.

“Beyond the threat to customers’ sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line.  A data-centric approach to security is the key cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks.”

Are you a security pro? Try our quiz!