Weak passwords allowing hackers to steal money from Starbucks app users

Weak passwords allowing hackers to steal money from Starbucks app users
Users of the official Starbucks mobile app are being targeted by hackers, with connected PayPal, debit card and bank accounts being relieved of, in some cases, hundreds of dollars. Once an account has been infiltrated, the criminals create a gift card, load it up at the holder's expense, and transfer the funds to themselves as if they were sending a gift. To add insult to injury, those afflicted are also met with a deluge of automated emails, with messages running along the lines of "Your eGift Just Made Someone's Day."

Starbucks has acknowledged that a number of its customers have been scammed in this manner, although vehemently denies any wrongdoing. The world's largest coffeehouse insists that there has been no security breach from its end, and instead, believes that customers with weaker passwords have left themselves susceptible to intrusion. 

According to consumer advocate and cyber-crime commentator Bob Sullivan, who first broke this story, Starbucks' 'auto-reload' feature is at least partially culpable in many cases, permitting thieves to steal hundreds of dollars from linked credit cards "in a matter of minutes." 

As you may have gleaned, auto-reload is an optional function that automatically tops up an account once the balance hits zero, which is good if you're a regular Starbucks-goer and don't want the hassle of incessantly adding credit. But the catch here, is that once hacked, the auto-reload threshold can be increased, meaning a criminal can repeat the process but inject larger sums into the account from the linked payment method.

The simplicity of auto-reload means that hacked accounts can be stripped of a lot of money in a very short period, and as such, Sullivan recommends that all Starbucks customers immediately disable the feature. 

As well as halting auto-reload, an alphanumeric password with plenty of symbols and capital letters is always advised no matter what one may be signing up to. Moreover, using the same pass-phrase on more than one occasion should also be avoided, since it means that if the code is cracked, only that account is at risk of being compromised.  

So, if you are as partial to convenient passwords as you are a double espresso, ensure that your Starbucks password is secure and impossible for anybody else to guess. This concerted effort appears to have targeted Starbucks customers, but it could happen to any app or service dealing with your money, so go ahead and check out our round-up of 5 free password managers for iOS and Android to help you stay protected.



2. Deadeye37

Posts: 312; Member since: Jan 25, 2011

They're putting all that money on gift cards? That is a lot of stolen coffee!

3. elitewolverine

Posts: 5192; Member since: Oct 28, 2013

Dealt with this everyday when i worked for starbucks center, call center a few years back.

4. xq10xa

Posts: 810; Member since: Dec 07, 2010

Terrible coffee. Terrible security.

5. Tazer2365

Posts: 52; Member since: Jul 28, 2012

And this is why I use Apple Pay every time I go to Starbucks. It's quite amusing seeing people scan a barcode on their phone sometimes struggling to do so when I simply wave my Apple Watch and boom, done!

6. Sauce5 unregistered

Going to Starbucks right now and stealing SamsungPhanboy's money to get me a nice frap. PW: Samsung

9. gaming64 unregistered

Did you mispell fap?O.o

7. gaming64 unregistered

Now I know why the Philippines doesn't have the Starbucks ad(or so I see)

8. gaming64 unregistered


10. EbonyPericarp

Posts: 67; Member since: May 02, 2015

You can lead any fool to Starbucks, but you can't make them use a strong password.... The user is always the weakest link in any security situation. Being in the top 1% of safe users involves no more than simply setting up a strong password.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless