Starbucks app targeted by hackers to drain bank accounts

14 May 2015

Hackers are believed to have been stealing money from people’s bank accounts in the US using coffee giant Starbucks’ mobile app.

The Starbucks app lets people pay at checkouts with their smartphone and can also be used to reload gift cards by drawing funds from bank accounts, credit card accounts or PayPal accounts.

However, it has been reported that hackers have succeeded in breaking into victims’ Starbucks accounts online to add new gift cards, transfer funds and repeat the process over and over.

Taking advantage of the Starbucks auto-reload function, they can steal hundreds of dollars in a matter of minutes, according to US tech sceptic and consumer advocate Bob Sullivan.

Mobile transactions — want Java with that?

This is a big deal for the Seattle-headquartered coffee giant. Last year the company processed US$2bn worth of mobile payments and one-in-six transactions at Starbucks are conducted via the Starbucks app. More than 16m people use the app in the US.

In one case, hackers stole from the credit card of Maria Nistri, first taking US$25 and then stealing a further US$75, all within seven minutes.

It is understood that a weakness in the Starbucks system enables cyber criminals to drain a consumer’s stored value and attack their linked credit card once they obtain username and password credentials.

Starbucks said that any reports that the mobile app itself has been hacked are false.

“Occasionally, Starbucks receives reports from customers of unauthorised activity on their online account,” the company said.

“This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks.”

To protect their security, the company urged customers to use different usernames and passwords for different sites, especially those that keep financial information.

Starbucks image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com