Starbucks customers are reporting that their gifts cards, apps and linked credit cards are being drained of money, but the coffee chain denies that it has been hacked. Instead, they blame customers for reusing user names and passwords that have been hacked elsewhere, allowing persistent crooks to access their accounts.
Numerous media reports describe the problems being experienced by customers. Money tells the story of Maria Nistri who had $34.77 loaded on her Starbucks app. Thieves took that, and when the balance hit zero the account was reloaded with $25 because Nistri had it attached to her American Express card set to auto-reload. Thieves took that, and then upped the reload to $75, which was immediately drained. Nistri received an alert and intervened before the crooks could do any more damage. Total elapsed time: 7 minutes.
NBC News reports that Gartner security analyst Avivah Litan calls this a growing problem, "Criminals are learning how to turn rewards programs, points and prepaid cards into cash."
The Starbucks payment system handled $2 billion in transactions last year for its 16 million users—a tempting target for thieves.
While Starbucks wasn’t hacked, the company is in the position of doing damage control, releasing an online statement:
Starbucks takes the obligation to protect customers’ information seriously. News reports that the Starbucks mobile app has been hacked are false.
Like all major retailers, the company has safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions. To protect the integrity of these security measures, Starbucks will not disclose specific details but can assure customers their security is incredibly important and all concerns related to customer security are taken seriously.
Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.
If a customer believes their account has been subject to fraudulent activity, they are encouraged to contact both Starbucks and their financial institution immediately. Customers are not responsible for charges or transfers they did not make. If a customer’s Starbucks Card is registered, their account balance is protected.
If you use the Starbucks app, it's recommended that you disable the auto-reload feature.