Thieves are stealing money from people’s credit cards, bank and PayPal accounts — by first tapping into their Starbucks mobile app.
Starbucks (SBUX) on Wednesday acknowledged that criminals have been breaking into individual customer rewards accounts.
The Starbucks app lets you pay at checkout with your phone. It can also reload Starbucks gift cards by automatically drawing funds from your bank account, credit card or PayPal.
That’s how criminals are siphoning money away from victims. They break into a victim’s Starbucks account online, add a new gift card, transfer funds over — and repeat the process every time the original card reloads.
These thefts were first reported by consumer journalist Bob Sullivan.
CNNMoney interviewed several Starbucks customers who in recent months have had this happen to them.
It happened to Jean Obando on the Saturday evening of December 7. He had just stopped by a Starbucks in Sugar Land, Texas and paid with his phone app. Then while driving on the highway, his phone chimed with a barrage of alerts. PayPal repeatedly notified him that his Starbucks card was being automatically reloaded with $50.
Then came the email from Starbucks.
“Your eGift Just Made Someone’s Day,” the email said. “It’s a great way to treat someone — whether it’s to say Happy Birthday, Thank you or just ‘this one’s on me.'”
He got 10 more just like it — in just five minutes.
Starbucks didn’t stop a single transaction or pause to ask Obando for secondary approval. All of them went through. When Obando told Starbucks he thought his account was hijacked, Starbucks promised to conduct a review. When Obando asked to stop the payments and refund his money, Starbucks told him to dispute the charges with PayPal.
It took Obando two weeks to get back his $550. He said the incident made him realize Starbucks doesn’t seek enough approval from customers before directly accessing their bank accounts.
Obando, who works in a Houston high school’s technology department, said he disabled the app.
“Now, I just pay with my credit card or cash,” he said. “I can’t trust Starbucks with my payment information anymore.”
Starbucks records obtained by CNNMoney show that all of those payments went to a card registered to the email address email@example.com. No one from that address has responded to questions.
The same thing happened to Kristi Overton on Monday morning. She was working from her desk at an auto body shop in Florence, Alabama when her phone dinged five times. Someone broke into her Starbucks account, turned on the auto-reload feature, then emptied her existing gift card repeatedly.
The thief stole $115 in a few seconds — and luckily didn’t trigger a bank overdraft fee. Starbucks and PayPal have promised her the charges will be reversed.
“I think it’s too easy to dip into someone’s bank account,” she said. “The Starbucks app’s security measures need to be updated.”
Overton has since removed the Starbucks app from her phone as well.
Starbucks told CNNMoney the company has not been hacked, and it didn’t lose customer data. The company said these account takeovers are likely due to weak customer passwords. Starbucks suggested that customers use unique, strong passwords.
(CNNMoney’s password advice? Use a long phrase with upper/lower case letters, numbers and symbols, like: TryTh1sEx@mple)
That might be what happened to Overton. She admitted she reused the same password on her email and Starbucks account. Another Starbucks customer — Nicole McCool in Austin, Texas — was also forced to reset her passwords after someone stole $100 from the Starbucks account linked to her bank account in October, leaving her without a debit card and unable to pay bills for 10 days.
But Starbucks can do more on its end. Most respectable online services (like Gmail, Twitter and LinkedIn) let users enable two-step authentication, which sends a text message to your phone whenever you sign in from a new device. This added layer of security would have protected Starbucks customers, said Gavin Reid, an executive with cybersecurity firm Lancope.
Starbucks wouldn’t say if it’s adding new security measures to its system. But it promises customers will be reimbursed for any fraudulent charges.
This is the second time Starbucks’ payment system runs into security issues. Last year someone discovered the Starbucks app left passwords vulnerable, because it was storing them in plain text.
Because this is an issue with account access, the only way for customers to protect themselves is to create a strong password — and erase any payment methods attached to their Starbucks account. Disabling the auto-reload of money isn’t enough. A criminal can just turn that back on.