TORONTO – Your habitual latte habit may be costing you more than you think.
Starbucks has acknowledged hackers have been using its mobile app to steal money from consumer’s bank accounts, credit cards and PayPal accounts.
“Starbucks takes the obligation to protect customers’ information seriously. News reports that the Starbucks mobile app has been hacked are false,” read a statement from the coffee franchise.
“Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks.”
Starbucks’ mobile app allows customers to pay for their drink and food purchases using their smartphone. You can connect a Starbucks gift card, bank account, credit card, or PayPal account to pay for items. You can also reload gift cards through the app.
Hackers have found a way to get into customer accounts, load a new gift card with funds, and transfer the money to themselves.
According to reports, the fraudsters drain the value remaining on the customer’s account and then use Starbucks’ auto-reload function to skim money from the account associated with their Starbucks card.
Those affected report receiving several emails from Starbucks telling them their account has been reloaded within minutes of each other.
According to a report by MSN Money, one woman was defrauded of over a hundred dollars when hackers got into her account.
“Early in the morning on May 6, criminals stole $34.77 in value she had loaded onto her Starbucks app by transferring it to a gift card they controlled. Immediately, her account was reloaded with $25 because her balance had hit zero,” read the report.
“Then they upped the ante, changing her auto-reload amount to $75, and stealing the $75, all within seven minutes.”
This issue could affect millions of users. The Starbucks app is used by over 16 million customers and has processed more than US$2 billion in transactions.
It’s unclear how many users have been affected by this type of attack – Starbucks maintains they are not widespread.
Global News asked Starbucks whether any Canadian customers had been affected by the issue; however, the company did not comment on that specific inquiry.
The company is vowing to protect customers who have been affected by the scam.
“If a customer believes their account has been subject to fraudulent activity, they are encouraged to contact both Starbucks and their financial institution immediately. Customers are not responsible for charges or transfers they did not make,” read the statement.
“If a customer’s Starbucks Card is registered, their account balance is protected.”
What can you do to protect yourself?
The company is urging app users to use different user names and passwords for different sites, especially those that keep financial information – a sentiment any security expert would agree with.
The best thing to do right now is change the password to your Starbucks account, just to be safe. But make sure you use a secure password. Here are some tips:
Stay away from easy-to-guess passwords like “1,2,3,4″ or “Password” and easy-to-guess identifiers like your dog’s name.
According to security experts, passwords that use up to ten upper- and lower-case letters mixed with numbers are proven to be more secure – despite being hard to remember.
READ MORE: How to create a more secure password
One tip is to construct a password from a sentence, mix in a few upper case letters and a number – for example, “There is no place like home,” would become “tiNOplh62.”
Numbers included in a password should never be something easy to guess based on the user.
That means your age, the current year, or your address are not good choices.
Similarly, the longer the password, the better.
Unfortunately, Starbucks does not employ added security features like two-factor authentication, so you aren’t able to beef up your account’s security.
A Starbucks spokesperson did not comment on whether the company planned to add security features like two-factor authentication in the future.
If you are worried about fraud happening on your account, you can also turn off the auto-reload feature on your account, or even delete your credit card and banking information from the app.