Hackers drain money from Starbucks accounts linked to users’ credit cards

Pierluigi Paganini May 14, 2015

Hackers steal money from Starbucks mobile customers using linked credit cards, nearly 16 million customers who use the company app are at risk.

Starbucks is the last victim of scammers, cyber criminals are syphoning money from the credit or debit card linked to the customers’ Starbucks accounts.

The attack is quite simple for fraudsters, the criminal just need user credentials for Starbucks account, that could be easily stolen with a phishing campaign, to operate with the victim’s credit card.

Criminals could also steal credentials by keylogging, by attempting to use credentials leaked after other data breaches, or by password bruteforcing.

According to the journalist Bob Sullivan the hackers syphoned Starbucks customers through the Starbucks app and exploiting the auto-load function.

Victims usually received an email that pretends to come from Starbucks informing them that their username and password had been changed.

Once the fraudsters gain the access to the victim’s Starbucks account, they can transfer the money present on the gift card on the victims’ Starbucks app to another gift card they control in order to resell them later. Another cash out schema for scammers is to buy gift cards and send them to accounts they control.

The worst scenario for the victim occurs when he has enabled the auto-load feature on the Starbuck account, because in this case additional amounts of money are automatically loaded into the Starbucks card every time the credit is reduced.

starbucks auto-load funtion account

According to a source inside the company, the frauds have gone at least since January, the Starbucks company explained that it is already working to protect its customers and urged users to report any suspicious activity on their accounts.

“have safeguards in place to constantly monitor for fraudulent activity,” but they are “unable to discuss specific security measures” publicly for obvious reasons.

“If a customer believes their account may be subject to fraudulent activity, we encourage them to contact us and their financial institution immediately,” she stated, adding that “customers are not responsible for charges or transfers they didn’t make.” states the company.

Of course, I recommend all Starbucks consumers immediately disable auto-reload feature on the Starbucks mobile payments and gift cards.

The attack on Starbucks demonstrates the importance of the adoption of multi factor authentication process, for cyber criminals it is too easy to guess or stole a user password and when the accounts are linked to payment process the effect could be serious. This type of small amount theft can be automated reusing already exposed credentials.”

As usual also a proper security posture could help to mitigate account take over, I always recommend you avoid using the same credentials across multiple service to prevent a domino effect in case one of them is breached.

Unfortunately, cyber attacks similar to the one occurred to Starbucks are quite common.

Pierluigi Paganini

(Security Affairs – Starbucks, mobile)

you might also like

leave a comment