The Starbucks app is the key to a new scam where thieves are stealing money from your bank account or Paypal by hacking into the Starbucks app that sits on your iPhone or Android and sending out gift cards.
In this new scheme criminals rely on weak passwords to login to your Starbucks account on their iPhone, iPad, Android or computer and then tap into the bank account that you likely use to keep your Starbucks card loaded up.
By continually drawing funds from the Starbucks card that is set to auto refill the thief can keep siphoning money out of your bank account like a never ending Frappuccino.
Bob Sullivan discovered the hack that relies on users not guarding their Starbucks app password with the same security as a bank account. By tapping into the Starbucks app, which users are less likely to secure with a strong password, the thieves can still drain your bank account, rack up credit card charges or empty your PayPal.
Sullivan shares the story of Maria Nistri who woke up to an alert that her account username and password changed, and then discovered that the thief stole over $100 in a matter of seven minutes. Nistri could not speak to a Starbucks app support team until after 8 AM, and the theft started at 7 AM.
Starbucks told CNN Money that the problem is not with the Starbucks app. Starbucks blames, “weak customer passwords”, that many customers may re-use from other sites.
When consumers re-uses passwords and usernames or emails across multiple sites it is easier for a thief to steal an account by trying passwords and usernames over and over again. The thief must verify the Starbucks card balance transfer with an email, but once a user controls the Starbucks account they can easily change the email address and then verify the new email.
This is a good reminder to use a strong password and a unique password on any service you use — especially services that link to your bank account or credit card. A strong password contains upper and lower case letters, special characters and numbers. It is also not a dictionary word or a name and a year. Additionally you can use a service like LastPass to create and store strong passwords that you can access from your iPhone or Android with your fingerprint.
In this case Starbucks will reimburse customers who lost money through account problems like this, but it is still a great idea to use a secure password.
You can check to see if your Starbucks app and Starbucks account is impacted by this problem with a look at your email for Starbucks gift card purchases or to look into your bank or your Starbucks account for unusual activity.
If this problem with the Starbucks app password security scares you, you can disable the auto reload and delete your payment options. This would change how you load up your card, so a better solution is simply to pick a secure password and use a new password for each account that you sign up for.
There is no comment from Starbucks on how they plan to specifically address this issue, but two-factor security could fix this problem by verifying a user when they sign up on a new device. This would work by sending a short text message with a code for the user to enter as part of the Starbucks app sign up process.