Find a reputable business?

Business Consumer Alliance Blog

Hackers use Starbucks app to steal money

Starbucks logo

With the convenience of smartphones and mobile apps, consumers can pay the price for that convenience if they have their credit cards linked to certain apps.  Starbucks confirmed Wednesday that some customers had funds withdrawn from the credit cards linked to the Starbucks app without their knowledge.  This news was reported early on by journalist Bob Sullivan.  The app lets you pay at the register with your phone and has the ability to automatically reload your Starbucks gift card by drawing from linked bank accounts, credit card or PayPal account.  Criminals are exploiting this auto-load feature and using it to drain money from unsuspecting victims.

Many victims claim they find out about the hacks as they received notifications of incremental amounts such as $25, $50 to $75 via email.  These amounts are triggered when the thieves transfer these amounts from the hacked accounts to other Starbucks gift cards without the victim’s authorization.  When done multiple times, the damages can quickly add up to hundreds of dollars in unauthorized charges.  Another sign of a possible hack is that victims claim they received an email notification stating their username and password had changed, even though they weren’t the ones who initiated the change request.

Starbucks isn’t answering specific questions about how the fraud is being perpetrated, but the Seattle-based company does maintain that personal and credit card data has not been compromised.  Instead, they attribute the hack to weak username and password credentials tied to the app and their Starbucks account.  If this is truly how hackers are gaining access to these accounts, BCA offers the following tips to safeguard yourself:

  • Immediately change your username and password with the Starbucks app.  We recommend using a different set of username and password credentials than what you have for your email credentials and other accounts.
  • Use a strong password with combinations of upper/lower case letters, numbers and special characters.  This makes it harder for hackers to use brute force or dictionary attacks to guess your password.
  • Disable the auto-load feature on the app and unlink your bank account, credit card or PayPal account that was originally tied to that feature.
  • Pay using other means instead of the app (i.e. credit card or cash is always safe)
  • Stay vigilant in monitoring suspicious transactions with your credit cards, especially the innocuous amounts such as $10 or $20 that normally wouldn’t raise any red flags.
  • If you believe you are a victim of fraudulent activity, contact Starbucks Customer Care by phone at 1-800-782-7282 or visit their Customer Care page for other ways to contact them.
  • You may also contact your credit card company or bank to report the fraudulent charges.

Were you a victim to this hack or know someone who was?  File a complaint with BCA or tell us in the comments section.  Also, be sure to follow us on Facebook and Twitter to get the latest scam alerts and news that affect you as consumers.

We recommend these articles:

About Business Consumer Alliance:

Business Consumer Alliance (BCA) is a non-profit company that started in 1936. The broad purpose of BCA is to promote business self-regulation. BCA's mission is achieved by assisting consumers in resolving complaints with businesses and using that complaint information, along with other relevant information such as customer reviews, to forecast business reliability. With community support, BCA can identify trustworthy and ethical businesses and warn the public to avoid unscrupulous businesses whose purpose is to defraud the marketplace. BCA also helps businesses promote themselves by providing services and tools to protect their business and reach out to their customers. BCA obtains its funding from member businesses who support the mission and purpose of the organization and who agree to abide by high standards of ethical business practices.