The 16 million Starbucks customers who use the company’s mobile payment service may want to strengthen their log-in credentials and reconsider using the auto-load feature.
Independent journalist and best-selling author Bob Sullivan reported on Monday that hackers recently stole money from several Starbucks customers by gaining access to their credit card information through the Starbucks app and using the auto-load function.
Sullivan described how one Starbucks customer had $34.77 stolen from her account last week, another $25 after it was auto-loaded, and another $75 after the hackers changed her auto-load amount. All of this took place in less than ten minutes.
Sullivan cites three other Starbucks customers who had their accounts hacked within the past month. This Reddit thread shows a handful of others who had similar issues. Some hackers even used stolen accounts to email gift cards to themselves.
“Essentially, any criminal who obtains username and password credentials to Starbucks.com can drain a consumer’s stored value, and attack their linked credit card,” Sullivan noted.
Sullivan added that hackers who gain access to a Starbucks card can move balances to a card or account they control by changing a victim’s email address used for a transfer verification code.
“Because the crime is so simple, can escalate quickly, and the consumer protections controlling the transaction are unclear, I recommend all Starbucks consumers immediately disable auto-reload on the Starbucks mobile payments and gift cards,” Sullivan wrote.
Starbucks spokeswoman Maggie Jantzen told GeekWire that these recent incidents are “not widespread” and noted that “customer security is incredibly important to us.”
“We have safeguards in place to constantly monitor for fraudulent activity and, like all major retailers, work closely with financial institutions to make sure our customers are protected,” she said.
Jantzen also said that Starbucks encourages customers to “use several best practices to ensure their information is as protected as possible,” like strong passwords.
“Customers are not responsible for charges or transfers they did not make and if a customer’s Card is registered, their account balance is protected,” she added. “If a customer sees unauthorized activity on their account, we encourage them to contact us immediately.”
Starbucks has placed a big emphasis on mobile transactions over the past few years, with CEO Howard Schultz noting late last year that 16 percent of its U.S. sales came from a smartphone.
Starbucks also recently suffered a massive point-of-sale computer outage that struck stores in the U.S. and Canada last month.