Starbucks has confirmed multiple reports of users of its smartphone app having three-figure sums stolen from their accounts in the form of gift certificates, reports CNN.
One user lost $550 in a matter of minutes, his account auto-reloaded each time it was emptied by a hacker sending a series of $50 gift cards. Other users have also reported three-figure losses within a matter of seconds or minutes …
Starbucks told CNN that no data has been hacked or lost, and blames the issue on customers using weak passwords – or using the same password for multiple sites and apps.
So if you use the Starbucks app and don’t already have a strong, unique password, now would be a great time to change it. Note that switching off auto-reload won’t help if a hacker has your login: they can simply switch it back on again. You can, however, delete the payment method attached to your account and use a strong, unique password.
It was revealed last year that the Starbucks app stores passwords in plain text (believed to have been fixed a few days later), but as these are only stored locally on your phone, it’s an unlikely route for a hack.
Starbucks updated the app in February, allowing Apple Pay to be selected as a payment method.
FTC: We use income earning auto affiliate links. More.
Why doesn’t Starbucks have TouchID as a passwords option? This is one of my frustrations with any app developer that uses a password but doesn’t make TouchID a login option. My passwords are all complicated and unique and therefore if I have to enter a password and I am out of the house, I am SOL. Therefore the app developer like Starbucks loses and I don’t make a purchase. For a lot of other people they just have same password for all apps which then leads to problems like this. Apple has provided a solution and the developers have not used it.
Could use 1Password/ similar products for the complicated and unique passwords?
I use LastPass and for $12 a year you get mobile use that has any and every long complicated password at your “finger tips”. You remember one password to get in the app and it remembers as many as you heart desires.
My understanding is that Apple is the only party allowed to store TouchID information. No third party app is allowed to have individuals fingerprints, hence no app will every allow TouchID credentials for login. Cool to think about, but not legal. If someone gets ahold of your fingerprint, then TouchID is no longer a feature, it’s more of a threat.
@ Drew Cohen: I don’t think that it is the case that developers can’t use TouchID (please correct me if I am wrong). I have an app called “Pushups Coach Free” that uses TouchID to login. Evernote also has a paid option that uses TouchID for login (annoying that Evernote makes you pay for a security feature). Those are two apps that I can think of off the top of my head.
My understanding is that TouchID is not accessing your fingerprint, it is merely an authentication system.
Incorrect. Many apps use touchID already (Mint being a big one as that has access to all my banking/credit info).
That’s incorrect. Touch ID is available to 3rd party developers for authentication. Mint and Robinhood are two apps that I know use Touch ID.
And how exactly is someone getting ahold of your finger prints? While there have been some proof of concept testing for finger print theft, the cost and difficulty are incredible, partially because Touch ID looks for blood flow, not just the finger print. So even if someone cuts your finger off, it won’t work.
Again, wrong…LastPass, Dropbox, Mint are just a few that I have that all use TouchID.
Drew, you have your facts very incorrect.
Ready? Good.
Password
Dashlane
LasPass
Mint
Scanner Pro
USAA
Day One
Dropbox
BillGuard
I can keep going. Please check simple Apple facts before posting on an Apple centric site.
Thanks much.
The Starbucks password goes beyond just the App, its also used by their website.
On the web, i can use @#%Vmdsf3s as my password for starbucks.com and I can use Lastpass to remember that, but I can not remember a unique / complicated password like that for all my apps. What happened at Starbucks is not that they were able to crack a password like @#%Vmdsf3s but rather the hackers guessed at passwords like “coffee” or they hacked another app and realized that I always use “openapp” as my password.
ahhh, I see what you were saying now….true
shouldn’t this be easily trackable. the gift cards have to go somewhere.
They go to a (presumably disposable) email address
They also should be able to cancel and refund those gift cards. They would be resold somewhere, but that will take time.
i’m one – I just thought I forgot to hit save or something.. this makes sense and I was only interested in a simple app password.
I just load from gift cards I buy in the store, slightly more hassle than linking my CC to the App but just never wanted starbucks with my financial info on file.
This happened to me less than a year ago, it was a nightmare, though my bank declined most of them and guess what I had a pretty strong password. When I called Starbucks they told me they get twice a day at least. I basically stopped having a card linked to the account. Luckily now you can reload with ApplePay.
Everyone keeps saying you can use apple pay with Starbucks — I’m not seeing that option anywhere. I know you can’t pay in Starbucks stores with Apple pay but how in the world can you use the app to reload using Apple pay? I am not seeing it anywhere – I have an iPhone 5S and an apple watch; I get the 5S doesn’t have NFC but since you are using the app that shouldn’t matter right? And the watch supports Apple pay right? Do I really need an iPhone 6/plus to reload with Apple pay?
I have an iPhone 6 and have it as my main fund source. Go to the SB app, Account Settings, and it is shown as the payment method. I’m guessing you won’t see it there because ApplePay is not an option on the 5S(correct?).
Since I don’t have the Apple Watch I can’t say for sure how the watch works with a phone without ApplePay but I’m guessing it only uses cards in your PassBook for locations that accept ApplePay. Paying for SB’s with the Watch is not the same as using ApplePay (which most SB stores I go to don’t accept anyway) as I believe it is just an extension of the SB app. For locations that DO accept ApplePay, the watch is basically using the phone to verify and pay using Passbook cards with ApplePay.
You would have to reload the SB’s card with an available funding source, i.e. debit or credit card on a phone without ApplePay.
It looks like there are two “forms” of Apple Pay. There is the ability to pay for items at the register using contact less payment, and also the ability to make in app purchases (like reloading Starbucks card in the app). Unfortunately, the later “form” of in app purchasing is only available on the iPhone 6/Plus, iPad Air 2, and iPad mini 3.
There are no plans to add it to 5/S/watch. I feel kind of duped here…you have to really dig on apples FAQ to find this out, and the watch is advertised as bringing Apple Pay ability to an iPhone 5/S/C. I don’t understand why this requires the newer devices; especially since the 5S *has* TouchID, and also this seems like a purely software mechanism; I see no reason why paying for an in app purchase would require an NFC chip; and even with the watch which doesn’t have TouchID, you can secure the ability to pay with a passcode. The great thing about Apple Pay is that every time you use it you must input some form of identity challenge (fingerprint or passcode), and the company you’re buying from never has permanent access to your financial information. This would have stopped the Starbucks hackers in their tracks…and it sucks that I can’t even use it to protect myself. Bleh!
The problem is that if they bad guy guesses your password he can login to your account on Starbuck’s website from any computer and change things. This has really nothing to do with Pay. It’s about having strong, unique passwords that are hard to crack.
This is false; the reason why the hackers were able to gain instant access to funds with a password is that your financial payment method is permanently stored on Starbucks’ servers.
With Apple Pay, your info remains private; even Apple themselves do not have it on their servers; and every time you use Apple Pay, you must scan your fingerprint or input a *separate* passcode.
In summary, if someone hacked my Starbucks account and my only payment method for Starbucks was Apple Pay, the hackers would have absolutely no way to use it or make any purchases whatsoever.
“That’ll learn you”
Sadly I was one. I’ve since canceled that card and now use Apple Pay to reload my Starbucks card.