Business

Starbucks app used to hack into bank accounts, credit cards

Hackers have used the Starbucks mobile app to siphon money from consumers' credit cards as well as bank and PayPal accounts.

Coffee chain says app is not compromised, blames weak password protection

Starbucks admits customers have lost money through its app, but said the theft is because of poor password protection. (Associated Press)

Hackers have used the Starbucks mobile app to siphon money from consumers' credit cards as well as bank and PayPal accounts.

Starbucks acknowledged the problem on Wednesday, but said the thefts weren't related to the app, blaming them on weak password protection by customers.

"Like all major retailers, the company has safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions," the Seattle-based coffee company said in a statement.

The app lets consumers pay for drinks and food through their mobile phone. It can also reload Starbucks gift cards by drawing funds from a bank account, credit card or PayPal.

Hackers have found a way to get into the app, buy a new gift card and transfer the funds to themselves.

Consumers in several areas of the U.S. have reported getting several emails from Starbucks in the space of five minutes that tell them their Starbucks gift card had been successfully loaded. It took only a short time for thieves to siphon hundreds of dollars from their accounts.

Although the repeated emails alerted consumers that something was wrong, they were unable to stop the transfers.

A Texas man, Jean Obando, said he was driving on the highway last December when he started getting notifications that $50 from his PayPal account was being transferred to Starbucks.

"Somebody had hacked into my account and had bought 11 $50 gift cards and sent them to some random email," he told CBC News.  

He had to contact his bank and put a stop payment on the PayPal charges and put a fraud alert on the charges with PayPal.

But Obando said when he contacted Starbucks, the company said there was nothing it could do. Starbucks told him to deal with his bank, an approach he does not consider satisfactory.

He said he's gone back to using cash when buying coffee.

Consumers urged to change passwords

About 16 million people use the Starbucks mobile payment system. The app is important to the coffee chain because it enhances customer loyalty.

Starbucks emphasized that customer information has not been stolen from its app. It urged customers to use different passwords and log-on details for other internet accounts as hackers might be stealing their information from other sites.

"If a customer believes their account has been subject to fraudulent activity, they are encouraged to contact both Starbucks and their financial institution immediately. Customers are not responsible for charges or transfers they did not make. If a customer's Starbucks Card is registered, their account balance is protected," read the Starbucks statement.

A Starbucks spokeswoman said the company would "work with" customers who have had money drained from their account.

The hacking scheme is part of a new trend in fraud – targeting alternate payment systems that are often easier to break into than bank security systems.

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.