Hackers steal from Starbucks customers by compromising its mobile app
You know how people keep recommending that you don't repeat passwords across multiple websites, that you use hard-to-guess passwords, and that you guard those passwords instead of revealing them on television? Here's why.
Reports claim that hackers have made their way into Starbucks' mobile application to drain the credit card associated with that account. This nets them a bunch of Starbucks gift cards that can either be used or sold on black markets.
Bob Sullivan reports that criminals are exploiting the Starbucks app's default behavior, which automatically requests more funds from a consumer's bank account when it runs dry, to steal hundreds of dollars from various consumers.
Starbucks has said that the problem isn't on its end. This means the hackers are probably targeting people who use the same password for multiple services and don't update that password even if one of those services has been compromised.
That's exactly what Starbucks blames the issue on in its official statement:
Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.It's not like people haven't been warned about using insecure passwords. Every time there's a major breach at a large company, consumers are advised to change all their passwords, especially if they use them across multiple websites.
Of course, that doesn't mean Starbucks might escape blame for these thefts. The company was previously criticized for storing passwords in plain text -- perhaps the passwords were compromised because of that vulnerability. And it has yet to add two-factor authentication to its mobile apps despite the security benefits.
Starbucks told CNN Money that it will cover all fraudulent charges through its app, but it didn't say how it plans to protect other consumers from attack. If you have a Starbucks account, now is a good time to change the password and make it so the app doesn't have any access to your bank account, at least for a while.
[illustration by Brad Jonas]