Hackers have taken up a new avenue and have begun striking Starbucks customers, stealing thousands of dollars from victims banks and credit cards all through the Starbucks mobile application.

Wednesday, Starbucks issued a statement acknowledging criminals have been breaking into Starbucks customer reward accounts to make fraudulent transactions, totaling several hundred dollars in customer charges resulting in thousands of dollars in fraud.

Starbucks reward program allows for loyal customers to sign up for a Starbucks exclusive card which allows beverage drinkers to tie their credit card and payment options to their mobile phone. It can also reload and gift Starbucks gift cards by automatically withdrawing the funds from your bank account, credit card or PayPal account which is directly linked into your Starbucks rewards app.

Criminals have begun targeted Starbucks customers, breaking into victims online accounts and making fraudulent gift card transactions to send funds to their account – allowing for easy rinse and repeat.

Several reports from Starbucks customers around the nation have confirmed that Starbucks is dealing with some form of mobile app hacking. One customer, Jean Obando, cites one incident back on December 7th, following a recent trip Obando’s had made to Starbucks, shortly after, hundreds of dollars in fraudulent transactions started being made at one time. Obando said he was on his way to work when amass of emails flooded his inbox, only to find PayPal notifying him a Starbucks card was being reloaded with $50.

The notification from Starbucks appeared in his email reading: “Your eGift Just Made Someone’s Day,” the email said. “It’s a great way to treat someone — whether it’s to say Happy Birthday, Thank you or just ‘this one’s on me.’”

While Obando was obviously confused, hackers made a set of over 10 transactions, totaling over $500 worth of fraud within just a few mintues.

What’s even more frightening is Starbucks rewards didn’t halt or question Obando’s amass of over $500 in sudden gift card charges. After contacting Starbucks, a representative told him the company would conduct a review on the incident. When questioning a refund for the fraudulent transactions, Starbucks told Obando to deal with PayPal directly to get his money back.

Obando said it took him over two weeks to gain back his $550 that was stolen from his Starbucks account.

All transaction records show payments from the registered card forward to a random @yahoo.com address, that many have reached out to but have yet to be met with a reply.

A similar incident occurred to Kristi Overton Monday morning. While working at her desk, Overton’s phone suddenly lit up five times, with a number of notifications. Overton found out a fraudster had broken into her Starbucks reward account and began abusing the auto-reload feature to clear her existing funds and make several fraudulent transactions totaling over $115 in Starbucks purchases. Luckily Overton was able to have the issue dealt with immediately as her card was attached to Starbucks and not PayPal.

Following recent reports, Starbucks has denied any and all allegations that their rewards system has been breached, noting the company didn’t suffer any form of data theft. Starbucks went on to say the accounts were likely compromised due to customers weak passwords.

Several Starbucks customers have noted they used their Starbucks credentials across several other websites and the passwords may have not been the most secure. Overton was one of the few to admit she had reused her Starbucks account password elsewhere.

Starbucks did not release further information regarding if a new fraud system will be put in place to decrease the recent spike in phony transactions, but did say all customers experiencing fraudulent transactions will be fully reimbursed.

This is not the first time Starbucks rewards payment system has had a security mishap. Just last year one researcher uncovered the Starbucks app had left passwords stored in plain text on the device.

Starbucks customers can protect themselves by creating and making use of a strong password on their Starbucks rewards system account. Simply disabling the auto-reload feature will not hinder fraudsters, meaning the only way to defeat this entirely would be to detach your credit card information from the account itself, which may lead to you not receiving rewards.

Though Starbucks did not directly experience a breach, many companies have, and have leaked critical information such as email accounts and passwords. To protect yourself from the recent swath of Starbucks account hacking change your password immediately.

Resources:

Journalist Bob Sullivan

[Photo via Marco Paköeningrat/Flickr [CC BY 2.0]]