Reported on CNN, thieves are stealing money from people’s credit cards, bank and PayPal accounts — by first tapping into their Starbucks mobile app.
Starbucks (SBUX) on Wednesday acknowledged that criminals have been breaking into individual customer rewards accounts.
The Starbucks app lets you pay at checkout with your phone. It can also reload Starbucks gift cards by automatically drawing funds from your bank account, credit card or PayPal.
That’s how criminals are siphoning money away from victims. They break into a victim’s Starbucks account online, add a new gift card, transfer funds over — and repeat the process every time the original card reloads.
The same thing happened to Kristi Overton on Monday morning. She was working from her desk at an auto body shop in Florence, Alabama when her phone dinged five times. Someone broke into her Starbucks account, turned on the auto-reload feature, then emptied her existing gift card repeatedly.
The thief stole $115 in a few seconds — and luckily didn’t trigger a bank overdraft fee. Starbucks and PayPal have promised her the charges will be reversed.
“I think it’s too easy to dip into someone’s bank account,” she said. “The Starbucks app’s security measures need to be updated.”
Overton has since removed the Starbucks app from her phone as well.
Starbucks told CNNMoney the company has not been hacked, and it didn’t lose customer data. The company said these account takeovers are likely due to weak customer passwords. Starbucks suggested that customers use unique, strong passwords.
That might be what happened to Overton. She admitted she reused the same password on her email and Starbucks account. Another Starbucks customer — Nicole McCool in Austin, Texas — was also forced to reset her passwords after someone stole $100 from the Starbucks account linked to her bank account in October, leaving her without a debit card and unable to pay bills for 10 days.
But Starbucks can do more on its end. Most respectable online services (like Gmail, Twitter and LinkedIn) let users enable two-step authentication, which sends a text message to your phone whenever you sign in from a new device. This added layer of security would have protected Starbucks customers, said Gavin Reid, an executive with cybersecurity firm Lancope.
Starbucks wouldn’t say if it’s adding new security measures to its system. But it promises customers will be reimbursed for any fraudulent charges.
This is the second time Starbucks payment system runs into security issues. Last year someone discovered the Starbucks app left passwords vulnerable, because it was storing them in plain text.
Because this is an issue with account access, the only way for customers to protect themselves is to create a strong password — and erase any payment methods attached to their Starbucks account. Disabling the auto-reload of money isn’t enough. A criminal can just turn that back on.