Starbucks Hacked Again-16 Million User Accounts at Risk, Money Stolen

16 million! - that's the number of users Starbucks has who use the company's mobile payment service. Starbucks hacked again for the second time resulting in user data being compromised. The last time this happened was in January 2014 which resulted in the app being deleted by so many users that the app fell down many places at the app store. Not to mention the terrible PR that came with it.

Starbucks is in the news again, for the wrong reasons. A few days ago, independent journalist and best-selling author Bob Sullivan reported that hackers recently stole money from several Starbucks customers by gaining access to their credit card information through the Starbucks app and using the auto-load function.

In his detailed post, he describes how one Starbucks customer had $34.77 stolen from her account last week, another $25 after it was auto-loaded, and another $75 after the hackers changed her auto-load amount. And all of this happened in less than 10 minutes.

Criminals are using Starbucks accounts to access consumers’ linked credit cards. Taking advantage of the Starbucks auto-reload function, they can steal hundreds of dollars in a matter of minutes.

"Since this is very easy to do and it is not clear on what consumer protections Starbucks is putting in place, it is suggested that everyone disable the auto-reload function immediately."

Starbucks Hacked Again - Why is this a big deal?

The fraud is a big deal because Starbucks mobile payments are a big deal. Last year, Starbucks said it processed $2 billion in mobile payment transactions, and about 1 in 6 transactions at Starbucks are conducted with the Starbucks app.

This Reddit thread shows a handful of others who had similar issues. Some hackers even used stolen accounts to email gift cards to themselves.

"It is crucial for companies to take security seriously. At Appknox, we have been emphasising on this since long. Consumers need to be aware of the risks they are at and businesses need to take ownership."

Sources: Bob Sullivan, GeekWire

How was it Hacked?

As soon as the news about the Starbucks hack broke out, people started speculating how it actually happened. Although there was no official statement on how the hack took place, there are some clear indications. According to a few researchers, Starbucks was the target of an active phishing campaign. Others believe that the campaign not only targeted Starbucks but several other companies as well. 

Now, let's talk about the actual methodology followed by hackers. At Starbucks outlets, customers can pay at the time of checkout using their phones. Starbucks also allows users to load gift cards by automatically deducting funds from users' credit card, bank account or other payment methods. This is where hackers come in the picture. 

Once hackers get into a victim's Starbucks account, they add gift cards and transfer money without the authorization of the user. Every time the gift card is reloaded, they can repeat the process. It becomes even easier for hackers if the users don’t change their passwords on a regular basis. 

What Steps can be Taken to Prevent Such Attacks in Future?

Talking particularly about the Starbucks hack, it only happened because users' bank accounts were accessed without multi-layered authentication. That is why the first step which must be taken in this direction is to prompt users or make it mandatory to have multi-factor authentication in place. 

Security experts believe that this is the best practice for mitigating such threats. Implementation of multi-factor authentication enables users to verify their identity in critical situations and saves them from all the possible threats. 

In a similar hack on the food delivery giant Zomato, the hacker took advantage of the fact that a company employee had used the same credentials on multiple platforms. That is why users must be advised to change their passwords on a regular basis so that it becomes almost impossible for hackers to get into their accounts and cause further damage. 

Published on May 14, 2015
Subho Halder
Written by Subho Halder
Subho Halder is the CISO and Co-Founder of Appknox. He started his career researching Mobile Security. Currently, he helps businesses to detect and fix security vulnerabilities. He has also detected critical loopholes in companies like Google, Facebook, Apple, and others


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now