Was the "Starbucks Hack" Really a Hack?
Written by: Jessica Ciannamea | Wed, 23 Sep 2015 21:24:49 +0000
Coffee devotees lining up in their neighborhood Starbucks in the spring got an added shot to their morning venti nonfat chai lattes: Their bank accounts were hacked.
Apparently, the Starbucks mobile app, which allows customers to link their bank accounts to the app as a means of paying, racking up points, and receiving rewards, is the conduit through which a new scam operates.
Hackers either guess or steal a customer's sign in credentials, then access the Starbucks account and immediately change the username and password. That's the first clue for customers that something is amiss.
Bob Sullivan, a former MSNBC reporter who struck out on his own to cover tech and consumer issues, originally reported the scam on his website. He wrote, "In effect, the hackers stole from [the victim's] credit card, through her gift card loaded onto her Starbucks app, without having to touch her phone or even know what her credit card number was."
He added, "Essentially, any criminal who obtains username and password credentials to Starbucks.com can drain a consumer's stored value and attack their linked credit card."
Starbucks issues statement explaining scam, denying hack
While victims were quick to blame the coffee chain for this incident, Starbucks denied that its mobile app was actually hacked.
"Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account," the company wrote in a statement. "This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different usernames and passwords for different sites, especially those that keep financial information."
If Starbucks wasn't hacked, then how was the fraud perpetrated? Both Sullivan and renowned security expert Brian Krebs, who was first to report more than a few breaches at major retailers, claim that the likely culprit is password and username reuse.
The affected customers could have been victims of a separate hack at some point, and criminals may have simply tested those hacked username and password combinations to break into the Starbucks accounts.
Creating a stronger, safer password
Both experts suggested customers attempt to create stronger passwords on their accounts—ones that are not widely used across other sites.
The Department of Homeland Security (DHS) offers several suggestions for creating a safe password, including the following:
• Don't use words that can be found in any dictionary of any language and use a combination of upper and lowercase letters, numbers, and symbols.
• Don't use passwords that are based on personal information or that can be easily accessed, guessed, or found by a quick search on social networking sites, including birthdays, names of pets, and favorite movies and books.
• Use different passwords for different accounts and change them regularly.
Starbucks also told customers that if they are victims of fraudulent activity, they are not responsible for charges or transfers they did not make and that if their card is registered, their account balance is protected. It encouraged customers to call their financial institution and Starbucks immediately if they are worried about their accounts.