EXCLUSIVE: Hackers continue stealing from Starbucks app users, nearly a year later; linked credit, debit cards at risk

Screen shot of Bruno Navarro's Starbucks app shows a fraudulent reload and subsequent rapid-fire purchases.
Screen shot of Bruno Navarro’s Starbucks app shows a fraudulent reload and subsequent rapid-fire purchases.

Hackers are still stealing money from Starbucks customers using a simple attack on the coffee giants’ app users, BobSullivan.net has learned.  Nearly a year after my initial story exposed widespread attacks on app users’ bank accounts, the security problems plaguing Starbucks’ auto-reload and linked bank account features persist.

Starbucks did not immediately respond to a request for comment in this story. (UPDATE 3/4/16: Starbucks has not yet responded to me, but it did give a statement to Seattle-KOMO reporter Herb Weisbaum, posted in its entirety below. Essentially the firm claims the problem has never been “widespread.”)

While the attacks do not seem as widespread as they were last May, plenty of consumers are still being victimized. In fact, I’ve interviewed several consumers who were hit during the long Presidents Day weekend — at a time when fraud controls at banks and Starbucks might have been dialed back.

Dawn Euer, a lawyer in Rhode Island, said her account was hit Saturday at 4 p.m.  Her Starbucks card was drained of value, then reloaded twice with $100 transactions from her linked debit card. That value was also drained off to another card the hackers controlled.

“It was such an odd transaction that I would think they could set up some security checks,” Euer told me. “Thankfully I signed up to receive email alerts from Starbucks when I replenished the card. Other than that alert I didn’t receive any notice about the transaction or fraud scheme. I was surprised when I saw the old article that this has been known about for some time.”

Euer will get her money back, but Starbucks told her it would take 7-10 days. She is now disputing the transactions with her bank.

I’ll get to more examples in a moment, but I’d like to reiterate my warning to the 13 million or so Starbucks app users: It’s *still* not safe to link a credit or debit card to your Starbucks account; if I were you, I’d delete my payment information immediately from the app and manually reload the app.

As I described last year,  criminals who manage to obtain Starbucks consumers’ login credentials have a relatively easy time transferring gift card / app balances onto cards they control; worse yet, they can initiate new transactions from a victims’ debit or credit card onto the consumers’ card, and then move the money onto their own cards. That lets them steal from consumers’ bank accounts without even knowing the victims’ bank account information.

(Let me get some nomenclature out of the way: Starbucks has always maintained its systems have not been hacked, and I have no reason to believe that’s untrue. Criminals are instead finding their way into consumers’ online accounts allowing them to take control of their apps and gift cards. I call these hacked accounts; one could quibble with that description, but I think it’s the clearest way to express what’s happening.)

It’s unclear how hackers are getting Starbucks login credentials, but there are many ways: phishing emails, stolens lists from other websites, brute force attacks.  Many consumers might use *less* secure passwords on their Starbucks accounts because they log in infrequently; I’d suggest making your Starbucks password as complex as possible.

Last year’s widespread incident suggested that Starbucks’ bank-end account fraud detection tools were less effective than bank tools; transactions that should have been easily recognized as suspicious sailed through. Euer’s story shows that problem still seems to persist.

Bruno Navarro, from New York, contacted me on Friday to say his account was hit Thursday evening.

“I caught it minutes after it happened and between reloads,” Navarro said.  Hackers used his app to attack his Discover Card. In his case, someone bought $85 worth of merchandise at a store in York, Pa., after adding value to his gift card / app balance. “Discover told me that three transactions, each for $100, were processed.”

In Navarro’s case, hackers didn’t bother to move money onto a second card before trying to spend it. Someone initiated an $85 purchase in York, Pa., using his fraudulently-reloaded card — showing hackers are using a variety of tactics to move cash onto and off of hacked Starbucks accounts.

Another consumer who requested anonymity told me her Starbucks card was used to load three new gift cards with $100 with money from her Chase account.  Her Starbucks account password was changed using the password reset tool, and then the transaction initiated, she said.

“It was Sunday on a three-day weekend,” the victim said. “Fortunately I have text alerts set up.”

When she called Chase, she says the operator told her it was “a common scam.”

She said she then spent hours feeling frustrated and examining all other online transactions. She wishes Starbucks would add additional security measures, she said.

“If they knew about this and they haven’t … that’s really irresponsible,” she said. “This could have been prevented. How can you put your customers in danger like this? … I am furious and am spending today closing accounts and changing all my passwords.”

There’s plenty more recent victims complaining about being hacked on this Facebook page:

Such as: “I had $300 stolen on November 23, 2015. It’s still happening. I am relying on PayPal to resolve the issue. After this, no more Starbucks! Never!”

and

“Mine was done on the (Jan. 3). They used my Discover card and bought $95 in reloads with 2 transactions. I caught it (because) I was returning a jacket online and wanted to see if I used that card due to Christmas (credit card) confusion. I’m pissed! My whole cc account is shut down and have to wait on new card.”

RED TAPE WRESTLING TIPS

Navarro and the anonymous victims said they hadn’t used their Starbucks card/app in at least a year; and Euer said her account was protected by an old password. If you reject my advice on disconnecting payment account information from the app, at least do so if you are an infrequent app user.

At a bare minimum, follow Starbucks’ advice to frequently change your password frequently. Since the firm’s back-end controls seem weaker than many bank fraud-fighting tools, you should use even greater care with your Starbucks account than you do with your checking or savings account.

Meanwhile, don’t assume Starbucks or your bank will spot suspicious transactions. Scan your app and your bill for suspicious transaction frequently.

UPDATE 3/4/16:  Here is what Starbucks’ is telling other journalists, courtesy Weisbaum and KOMO: Click on that link to listen to Herb’s report.

  • Occasionally, we find unauthorized activity connected to a customer’s online account. This type of activity is not caused by a breach or hack of our website or apps or card, but rather when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. 
  • This is an industry wide challenge, though is not and has never been a widespread or systemic situation for Starbucks.  
  • Over the last year, our security and fraud prevention improvements have reduced fraudulent activity in our business to a level significantly below industry average; a number that continues to decline as we implement additional measures. 
  • In fact, we see only a tiny fraction of one percent of our account holders impacted. In any case, customers are not responsible for charges or transfers they did not make.

Don’t miss a post! My email list is free



About Bob Sullivan 1318 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

13 Comments

  1. This has also just happened to me Dec. 15th, 2016. Fortunately my credit card company recognized it as unusual activity and suspended the transactions. Money was that already loaded onto my account was drained.

  2. This has happened to me as well, transaction happened twice on Dec 12th using my Paypal account that was attached to my Starbucks app. I have deleted my app and my account with Starbucks. Paypal is helping me get my money back. Shame on Starbucks for knowing this for so many years and haven’t sent out any warnings to their Starbucks app users. They have lost my business and I’m going to tell as many people as I can

  3. This happened to me January 2nd, 2017. Like others, I found out from email alerts I received of two reload transactions. $50 each. Then they unregistered my gift card from my account. Starbucks says they will issue a new gift card for the amount I had prior to the reloads and refund me the two fraudulatent transactions. Of course it will take time.

    I found your article when I went to google Starbucks account hacked.

  4. Somehow the Starbucks team is involved. Just too suspicious when I called to get a credit issued for the unauthorized reload of my app. I always reload a specific amount. I knew that I could not have used all) from my last re-load. Checking history I found a $100.00 reload, which differs from my normal amount, they swept the entire new balance to another card as pointed out in the article. Getting my money back but bye bye Starbucks!

  5. This happened to me in December of last year 2016. I had the unfortunate experience of $900 being added to a card that I did not authorize in increments of $100. My bank took care of me and Starbucks apologized. That happened to me again this morning only this time they transferred $11 from my card onto another card and removed the card I had to my account. So I have change my password and added a passcode to even enter the app so hopefully this will help as I am in frequent Starbucks app user. Thanks for letting us know about this issue.

  6. Happened to me today! I found this article when I googled Starbucks reload hackers. I’m furious to find out that it’s been going on for years and nothing has been done to prevent it. Starbucks customer service were terrible and now I get to wait 7-12 business days to get my $100 back! 😡

  7. This just happened to me! At first I thought the app was glitchy because it was alerting me of $50 auto reloads, but when I checked, the card balance was zero. Once I figured out what was happening, I contacted Chase to close my Visa and then Starbucks. Starbucks are issuing me a new card with the $51 that I originally had available, upgraded me to gold status, and added two free beverages. I don’t know that I will ever use the app again though. I frequent a NYC location, and I actually suspect a homeless man who stands there on his laptop (I know, strange, huh?) for compromising their network somehow. The first weird thing on my card happened shortly after I did one of those order ahead orders, and he was there, as I have seen before.

  8. This happened to me 3/19/17. I woke up to six text alerts from Starbucks Reloads. $25 each for a total of $150. I reported it to my bank and starbucks. Starbucks was rude and said there was nothing they can do, just work it out with my bank. The bank is going to take two weeks to reimburse my account. I adore starbucks but I’ll never use anything but cash again!

  9. PayPal refuses to refund the Starbucks reload made by hackers (at 3am, in a Starbucks store 2000 miles away from me) – They offer no recourse to their decision. The Starbucks rep told me tough luck, go to our store and buy a new card. No thanks!!

  10. It happened to me last week. They took $150 (3 reloads of $40 plus my $30 balance on card). If I did not see what was happening and unlink paypal from the starbucks card God knows how much money they would have taken. I disputed the transactions on Paypal and then Starbucks replied to them that these were authorized transactions. I opened a ticket with Starbucks and they said they would call me back in 1-2 days. No call back. A week later I loaded my card with $20 and used it. The next day Starbucks cancelled my card… and took my $11 balance. I called again yesterday, spoke to another clueless rep at Starbucks and it took me around 30 minutes to go over with her and help her document the situation. She said she was going to escalate it. If they do not remediate this, I am considering driving to the store that they spent my $$ (20 miles away) and call the cops and report theft right there on the spot. It seems that so many people are getting screwed by Starbucks and this is still going on while their CEO says “Hey, it’s less than 1% it’s OK…” so their CEO told the crooks who are stealing from his customers, just keep it to under 1% of our few million customers and we won’t do anything about it. There should be a class action lawsuit against Starbucks.

  11. I to just discovered 2000+ Stars being redeemed as well as $200.00+ charges on not one, not two, but three Starbucks accounts….6 calls later to Starbucks and a Starbucks Fraud email to Starbucks I am no further along. I have deleted the Starbucks Android app from my phone and I have informed them that I will NOT be making Starbucks purchases until my account issues are resolved. I live in Seattle, charges are from Illinois…..I always go to drive thru as well never make in store purchases so after first hack I called Starbucks, we changed the password and to be safe I “disconnected” my credit card / bank info from account…and Starbucks moved me to new account…..48 hours later that account was compromised so I called Starbucks again, changed the password and verified via web page not Starbucks app that my bank and credit data was empty…and Star bucks issues a new card, send em a $19.08 Gift Card…and not 24 hours later that new account is hacked….more stars are redeemed as there is no money on the account…..again Illinois use of account…..and I called Starbucks one last time to inform them of the additional loos of Stars and that effective immediately, while on the phone with them, I was deleting by Starbucks account and App from my phone and asked them to a) understand my concerns b) could anyone at Starbucks care since no one has contacted me or even expressed any sympathy to this concern c) if I could using the app trace the location, charges and stars redeemed from my phone via their app don’t you think they’d be able to verify that info much quicker in their main system ? So as of this typing I am down 2000+ Stars and $200.00+ in charges all in Illinois and I have not left Seattle….

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.