Some consumers with the Starbucks mobile app on their smartphones have had their bank or PayPal accounts partially drained recently, and not just from excessive ordering of expensive lattes. Thieves have managed to steal money from Starbucks’ customers by using stolen passwords to get into their accounts. However, in this case there is no direct hacking of Starbucks involved. The thieves are cashing in on careless use of passwords.
Armed with stolen passwords acquired from any number of sources, these crooks are taking advantage of the fact that the Starbucks app does not limit the number of password attempts. Through automated "brute force" attacks, they process thousands of combinations of passwords and IDs until they find a legitimate combination.
However, if you re-use your passwords and IDs for multiple sites, you've made life much easier for the crooks. Your information that was stolen from one site makes it easy to unlock your other accounts.
Once the thieves are in your account, they drain the money off your Starbucks app by establishing gift cards. When the balances are emptied, the automatic reloading function in the Starbucks app simply replenishes the funds from whatever account you have connected to the card, whether it's a bank account, PayPal, debit cards, or credit cards. Your first notice may be a series of rapid-fire e-mails acknowledging the gift cards.
Disabling the auto-reloading function doesn't really help. Once a thief is in control of your account, they can simply turn the re-loading function back on. Not only that, they can also increase the reloading amount. You can remove the connection to any of your accounts, but in that case, the app doesn’t have much value.
Some people were quick to blame Starbucks, thanks in part to a previous issue with password security. In late 2013, the iOS version of the app had been saving personal information such as usernames and passwords in plain text. Fortunately, this flaw was pointed out to Starbucks by security researcher, Daniel Wood before any crooks were able to take advantage of it — but its existence was publicized after Starbucks failed to respond to Wood's initial complaint.
Starbucks has correctly pointed out that in this case they are not responsible for the loss of information that allowed access, and that customers must take greater responsibility for their own security.
Technically, Starbucks is correct. They have not been directly hacked, and consumers can prevent this breach by using a unique and strong password for their Starbucks account. Even so, customers are angry with Starbucks for not taking relatively simple steps to thwart these efforts. They could easily limit the number of password attempts before lockout and require (or at least allow) a secondary verification step via text message when an account is being accessed for a different device.
To their credit, Starbucks has been reimbursing customers for fraudulent charges. However, if Starbucks intends for people to use their app on a regular basis, they had better pay closer attention to improved security from the consumer's perspective, whether Starbucks is technically correct or not. Starbucks has two public opinion strikes against them. The app may not survive a third strike.
Meanwhile, if you use the same password for everything, and a non-challenging password at that, start taking security into your own hands with the better use of passwords. Good password management can be inconvenient at times, but it is not nearly as inconvenient as dealing with the damage of a hacked account.
If you would like to monitor your credit to prevent identity theft and see your credit reports and scores, check out our credit monitoring service.