Starbucks customers apps hacked
Starbucks customers have reported money stolen from credit cards linked to the company's mobile app after their accounts were hacked Wikimedia Commons

Starbucks customers are reporting that hundreds of dollars have been stolen from their credit cards after receiving emails saying the passwords and login details for the coffee company's mobile app had been reset.

While details of exactly how the attacks are taking place are still unclear, it appears that credentials leaked in previous cyberattacks could be used to allow hackers to siphon off money from Starbucks's customers.

Starbucks' smartphone apps allow customers to pay for coffee and food in store, by pre-loading their reward cards with credit by storing a credit or debit card with the company.

By gaining access to a victim's rewards card, the hackers don't necessarily even need to know the card details or account number of the customer in order to perpetrate the fraud. Considering users of the app are also required to input their date of birth and address as well as card details, the hackers could then reuse these credentials in other attacks.

Those carrying out the attacks have taken advantage of a feature of the smartphone apps called "auto top-up" which automatically added a pre-defined amount of money to your card when it drops below a certain figure.

In one attack, reported by consumer journalist Bob Sullivan, an Orlando woman had her balance of $34.77 (£23.93) wiped off her account before it auto-updated with $25 and then again with a further $75 after the hackers changed the auto top-up amount.

Unauthorised

The woman, along with several others on social media websites, have reported that the attacks typically begin with an email which said that their username and password had been changed and if this was unauthorised, they should contact Starbucks.

The attacks reported to date seem to be solely affecting US customers with IBTimes UK learning that Starbucks has not seen any reports of similar behaviour in the UK or Europe.

The company has also pointed out that neither its smartphone apps nor its systems have been breached - though this is unlikely to be of much comfort to the customers whose money has been stolen.

The Seattle-based coffee company has not addressed the specifics of these attacks, but the evidence suggests that the hackers are using credentials stolen in other breaches (such as the high profile attacks on Target and Home Depot in the US in 2014) to access customer accounts.

As many people reuse username/password credentials across a variety of online services, the hackers will have been able to successfully access the accounts without too much problems before changing the passwords.

In order to retrieve the money, the hackers have several options. The first would be to transfer the balance from one gift card to another which is under their control, before selling these online for a reduced rate. They could also use a feature allowing Starbucks customers to combine the balances from multiple cards onto a single card – again, one which is under their control.

Starbucks has said they are not linked or connected to mobile payments, adding:

"We take the obligation to protect customers' information seriously and have safeguards in place to constantly monitor for fraudulent activity, working closely with financial institutions like all major retailers. For obvious reasons, we are unable to discuss specific security measures. Our customers' security is incredibly important to us and we take all these concerns seriously."

Conspiracy theory

Stephen Coty, from security company Alert Logic believes a recent problem with the company's in-store payment systems could be linked to this attack:

"The timing of this attack is very interesting since, just about a week ago, Starbucks had an issue in their stores with their payment system not allowing for the processing of credit cards. Makes you think what exactly happened to the payment system that shut down the service for a day and gave attackers an opportunity to compromise a part of their system."

However Starbucks has told IBTimes UK that this is "untrue" and that there is no link between the two incidents.

The company added that it worked quickly to resolve the concerns of customers who reported issues about their accounts to the company, saying customer account balances are protected by Starbucks.

However some customers have said that while their initial balances have been restored, the subsequent purchases have not been refunded and it is up to the customers themselves to chase up their banks to try and retrieve the money.

This is not the first time Starbucks smartphone apps have been criticised. In January 2014 security researcher Daniel Wood pointed out that the company was storing usernames and passwords in clear text and that if an attacker got hold of a customers phone they could potentially steal their account information.

Starbucks acknowledged the attack but said it was highly unlikely to affect any of its customers.