Starbucks app users across the country panicked last week when a report describing an in-app hack surfaced on the site bobsullivan.net. Though the report was unconfirmed by Starbucks, dozens of news sources picked up the story. The Starbucks app lets you pay at checkout with your phone.
It can also reload Starbucks gift cards by automatically drawing funds from your bank account, credit card or PayPal.
That’s how criminals are siphoning money away from victims, says the report. They break into a victim’s Starbucks account online, add a new gift card, transfer funds over – and repeat the process every time the original card reloads.
These thefts were first reported by consumer journalist Bob Sullivan.
Using password and username data stolen by hackers, Sullivan wrote how hackers can gain access to Starbucks accounts that are linked to a credit card.
Once they’re in, victims helplessly sit there and watch as hackers change the account’s email log-in and transfer the balance to a different Starbucks card.
About one in six Starbucks customers use these cards. Sullivan reported that Maria Nistri was a victim of thieves who stole a total of $75, all within 7 minutes. Nistri says the hackers were able to steal money from her credit card, because her gift card was loaded onto her Starbucks app.
Starbucks released on Wednesday a statement that denies allegations of any kind of security breach.
“Starbucks takes the obligation to protect customers’ information seriously. News reports that the Starbucks mobile app has been hacked are false” reads the statement.
“Like all major retailers, the company has safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions. To protect the integrity of these security measures, Starbucks will not disclose specific details but can assure customers their security is incredibly important and all concerns related to customer security are taken seriously.
Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.
If a customer believes their account has been subject to fraudulent activity, they are encouraged to contact both Starbucks and their financial institution immediately. Customers are not responsible for charges or transfers they did not make.
If a customer’s Starbucks Card is registered, their account balance is protected.
For additional security, Starbucks encourages customers to employ several best practices to ensure information is as protected as possible.”