Criminals are stealing money through the Starbucks app, ensure your passwords are strong

Starbucks, the internationally popular coffee chain, acknowledged that criminals are actively using the company's official app to obtain personal details as well as gain access to monetary accounts. The criminals create a new gift card, load your money onto the card, and transfer the funds over. Starbucks had no process in place to challenge or halt the transactions, or ask for customers affected to provide a secondary approval. Bob Sullivan reports:

Because Starbucks isn't answering specific questions about the fraud, I cannot confirm precisely how it works, but I have informed speculation, based on conversations with an anonymous source who is familiar with the crime. The source said Starbucks was known to be wrestling with the problem earlier this year. Essentially, any criminal who obtains username and password credentials to Starbucks.com can drain a consumer's stored value, and attack their linked credit card.

Since many people use the same, simple password for multiple, if not all accounts, once one system has been compromised, criminals can just try the same username and password combinations on other systems, and often get right in.

Once they have access, the criminals are reportedly using the auto-refresh option to load more money onto the Starbucks account, and then using that money to send gift cards to email addresses they control.

"Your eGift Just Made Someone's Day! It's a great way to treat someone — whether it's to say Happy Birthday, Thank you or just 'this one's on me."

To be clear, there's no indication anyone has hacked into Starbucks's system to steal customer data. They're just exploiting week, repetitive passwords. It's absolutely a crime, but it's one we can help prevent by using strong, unique passwords. An example of a strong, unique password is: 8qHjz>g%wHkY+siEzri8

Because strong, unique passwords are not only incredibly hard to crack, they're almost impossible to remember, we also recommend using a password manager like 1Password or LastPass. These tools also offer password generators that can supply random passwords for use on various accounts. You're even able to determine the password strength.

Starbucks should also make two-step authentication — where a token gets texted to a trusted device, like your iPhone — for better security on their end as well.

19 Comments
  • I had this attempted on my account. I had a password with capital letters, numbers, & punctuation. It still happened. The problem is how Starbucks stores the password info.... Probably in plain text somewhere. My credit card company stopped the $10,000 in $100 gift cards that was attempted to be bought on my account. Sent from the iMore App
  • This is primarily for those that have the auto feature to fill their SB card via a debit, credit, or PayPal turned on, correct? They can't get to your financial accounts with the SB card alone can they? Sent from the iMore App
  • That is partly correct. There is also the little feature of allowing you to tie the SB card to a credit card or PayPal account as a payment method. So if you combine that with the auto refill feature it would explain why people are losing hundreds of dollars at a time. It's also why I never use either of those features.
  • I don't have this feature enabled, I always top up manually. I think my password is pretty strong. Sent from the iMore App
  • As a LastPass user I never appreciated the fact Starbucks only allows a maximum of 15 characters for passwords. I like to keep my passwords a minimum of 30 characters.
  • In addition to using strong passwords, I would recommend not having a credit card attached to the app other than perhaps Apple Pay. That way even if someone got access to your account info, they would not be able to use it for financial profit without your fingerprint.
  • This is why I never tie store cards to my credit card. I'm also surprised the Starbucks was to quick to put the blame on their customers. A very disappointing and bad customer relations response in my opinion. They should require strong passwords at a minimum like many other sites do. It's obviously not difficult to do so.
  • Starbucks makes a lot of questionable PR/marketing decisions.
  • It is the customer's fault; you either can have security or convenience, nor both. I hate when the person tries to reload on their app rather than have me reload at the register for them—why didn't you do it while waiting in line? Sent from the iMore App
  • This is why a pay system like CurrentC is a joke.. Just look at this issue, which should be covered / insured against fraud because it's going against CC's and some Paypal accounts, and ask yourself: Would it be wise to give an App like CurrentC direct withdraw access to my CHECKING account, thats not insured against fraud? ahh.. no..
  • I still don't understand how the thieves are getting our money. If they don't have physical possession of our iPhone or our Starbucks card, how are they doing this? I must be missing something, sorry. I used to go to Starbucks for my wife on weekends and I used the Starbucks app, but haven't gone there for a year since I bought my her a Nespresso machine--no need for the overpriced crap from Starbucks anymore!
  • The way I understand it: the bad guy has the Starbucks app on his phone or uses Starbucks.com. He has obtained a list of stolen e-mail addresses and known working/valid passwords, and tries those via the Starbucks app/site to see if that combination works to gain access to a victim's Starbucks account (it won't work if the e-mail address isn't associated with a Starbucks account, or if the password on the Starbucks account is different from the one on the list). Even if the bad guy does get in, the account must have a valid credit card linked to it. If not, there's nothing he can really do with it. But if a credit/debit card is linked, then the bad guy can purchase gift cards with the linked credit card and have those sent by e-mail to his various temporary mail accounts. As far as I know, such gift cards can only be used at Starbucks and the other chains Starbucks owns Also, I don't think you can take a Starbucks gift card into a store and get the balance exchanged for cash. Such a method wouldn't work for, say, an Amazon.com gift card, because it's not anonymous for the bad guy. Sure, he could hack into someone's account in a similar method as with Starbucks and purchase electronic Amazon gift cards, but then those gift cards would be a little more traceable when used (you've got to ship the merchandise bought with the card somewhere). Using a Starbucks gift card, on the other hand, is completely anonymous. It would seem that Starbucks has no way to trace them or at least void them.
  • OK, thanks! Even though I've kicked the Starbucks habit (or, I should say, my wife did...OK, I forced her to because we're saving tons of money using the amazing Nespresso VertuoLine machine...I've even started drinking decaf once in a while...but I digress....), I changed my password, anyway--I had forgotten what a stupidly simple password I had used there! And this is from a guy with 1Password! Sheesh! Anyway, THANK YOU, iMore, for the heads up!
  • I do go to Starbucks but I get my coffee fix via Bing, the more searches I do for either the boss or myself the points get me $5.00 gift cards
  • It is actually pretty amazing to me how much "Negative Press" Starbucks has been getting lately on various things like last week during a company wide software update, ALL stores were essentially closed down until this was taken care of and now this! Looks like the CEO of Starbucks need to pay closer attention to his company and add 2 stage authentication to the companies official app!
  • And that "promo" where they encouraged employees to engage customers in conversations about political and social issues. Tone deaf.
  • That's what they get for charging 5 bucks for a coffee. Sent from the iMore App
  • I sign out when not using. I never use their wifi. Make sure you turn it off before using the app. Never auto reload. Never use the same password for multiple apps. Keep passwords hard, and change them often. When you do change them, and do not get an email notice, it may be time to delete that app until it is more secured. Sent from the iMore App
  • By the way, this has been going on since Jan 2014. Maybe earlier. You would think SB would have a fix. Sent from the iMore App