Good passwords are obviously important for banking apps and sensitive email accounts, but a new scam highlights why you should never, ever use a crappy password, even if you’re just signing up for a mediocre franchise coffee house rewards card. Starbucks app users are getting their bank accounts drained by password-guessing thieves.


People with Starbucks rewards can link the coffee-payment app to their bank accounts, credit cards, or PayPal accounts, which means hacking into someone’s Starbucks app gives thieves an easy way to load up new gift cards and sell them illegally. Starbucks has acknowledged that this scam is happening but says it hasn’t been hacked, and that its hacked customers likely used bad passwords.

Consumer journalist Bob Sullivan first reported on the scam, and emphasized that the scam leaves a lot of latte drinkers vulnerable:

The fraud is a big deal because Starbucks mobile payments are a big deal. Last year, Starbucks said it processed $2 billion in mobile payment transactions, and about 1 in 6 transactions at Starbucks are conducted with the Starbucks app.


While Starbucks should offer two-factor authentication as an option for its popular app, you can only be so protected with a crappy password.



[Quartz via Bob Sullivan]