A frightening new report has pointed to vulnerabilities in Starbucks cards that may allow hackers to steal money via linked credit cards.
Scammers can potentially gain access to some customer accounts using password and username data stolen by hackers, Bob Sullivan, an independent consumer reporter, wrote in an exclusive piece on Monday.
Because consumers often re-use credentials, hackers take them and “brute force” thousands of potential logins at the website. Because Starbucks’ mobile payment app is so popular, any large set of stolen credentials is bound to have at least a few combinations that unlock Starbucks accounts.
Starbucks cards function like reloadable gift cards -- users are able to link their accounts with a credit card so it will automatically reload when the card balance is low. Once the hackers gain access to an account with a linked credit card, they can change the email log-in, transfer the balance to a different Starbucks card, wait for the card to refill, and repeat. Sullivan noted that one woman watched as the scammers upped her automatic reload from $25 to $75, which was then debited from her credit card.
The coffee chain allows users to easily transfer balances between separate Starbucks cards, so the thieves are able to load up their own accounts before allegedly selling the souped-up cards on the black market.
Starbucks is responsible for a vast majority of all mobile transactions in the U.S. Of the $1.6 billion spent via smartphones in 2013, the company said 90 percent went to purchases at its coffeehouses, according to the MIT Technology Review. About 1 in 6 transactions at Starbucks is conducted via the mobile app.
A representative for Starbucks told The Huffington Post there was no breach of their system and the app itself was not hacked. The company has safeguards in place to monitor fraudulent activity, and it actively encourages customers to use "best practices" like a unique username and password to protect their account. If an account is compromised, Starbucks doesn't hold its coffee drinkers liable, and "customers are not held responsible for any transaction they did not make."
Despite that advice, many people still opt for less-than-ideal passwords. If you'd like to drink your Frappuccino in peace, stop making it easy for hackers and select something a touch more unique than "batman" or "football."
You can read Sullivan's full report -- in which he recommends all consumers immediately delink their auto-filled cards -- here.