According to a report by CNN Money, Starbucks has officially acknowledged that hackers have been breaking into individual customer rewards accounts, and have gained access to their credit cards, bank and PayPal accounts by tapping into their Starbucks mobile app. The hackers break into a victim’s Starbucks account online, add a new gift card, transfer funds over and repeat the process every time the original card reloads.
As you may be aware that the Starbucks app lets you pay at checkout with your phone, and can also reload Starbucks gift cards by automatically drawing funds from your bank account, credit card or PayPal. This is how hackers have been gaining access to all their sensitive financial data. The report notes that several Starbucks customers who were interviewed have had this happen to them in recent months. The very first Starbucks theft was reported by consumer journalist Bob Sullivan.
Here’s a story of one of the many victims:
It happened to Jean Obando on the Saturday evening of December 7. He had just stopped by a Starbucks in Sugar Land, Texas and paid with his phone app. Then while driving on the highway, his phone chimed with a barrage of alerts. PayPal repeatedly notified him that his Starbucks card was being automatically reloaded with $50.Then came the email from Starbucks.
“Your eGift Just Made Someone’s Day,” the email said. “It’s a great way to treat someone — whether it’s to say Happy Birthday, Thank you or just ‘this one’s on me’.”
He got 10 more just like it — in just five minutes.Starbucks didn’t stop a single transaction or pause to ask Obando for secondary approval. All of them went through. When Obando told Starbucks he thought his account was hijacked, Starbucks promised to conduct a review. When Obando asked to stop the payments and refund his money, Starbucks told him to dispute the charges with PayPal.
After two weeks, Obando eventually got back his $550, though it made him realize that Starbucks doesn’t seek enough approval from customers before directly accessing their bank accounts.