While consumer wallets may take a hit from daily doses of $3 coffee and $6 frappuccinos, the most costly thing currently on the Starbucks menu might just be weak passwords, now that reports emerged that hackers are racking up fraudulent charges on credit cards used by the coffee retailer's customers to re-load their Starbucks gift cards and mobile payment accounts.
It seems that attackers have taken advantage of the auto re-load function on the Starbucks app, which lets consumers quickly and easily load value into their accounts from a linked payment card or bank account once the balance dips below a certain threshold.
Calling the “new scam so ingenious [hackers] don't even need to know the account number of the card they are hacking,” Bob Sullivan, a consumer advocate, said in a blog post that thieves “can steal hundreds of dollars in a matter of minutes” by draining the card balance and then stealing additional dollars once the Starbucks account auto re-loads from the linked credit card or bank account.
Sullivan recounted the experience of one consumer whose $34.77 in value was stolen “then another $25 after it was auto-loaded into her card because her balance hit 0.” The hackers then “upped the ante,” he wrote, “changing her auto reload amount to $75, and stealing that amount, too. All within 7 minutes.”
While Starbucks has not released details of any type of recent hack, the company did post a security statement to its website stressing that it “has safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions” to protect customer information.
The statement noted that from time to time its customers report fraudulent activity which “is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks.”
Indeed, some reports have tried to pin the hack on information stolen from Target or another recently breached retailer, but for now specific details are not forthcoming.
“No one knows how the bad guys are stealing the Starbucks cards cash, but all guesses point to a bunch of weak passwords that are allowing hackers to game the auto-refill system,” according to comments emailed to SCMagazine.com from Jonathan Sander, strategy & research officer at STEALTHbits Technologies, who says the hack follows a decidedly familiar tune. “What can you do about it? Let's all sing along now: change your Starbucks password, make sure the new password is unique and complex, and for goodness sake don't use that same password on another site or service.”