Starbucks says its popular mobile app has not been hacked, and that may be true, but a report by consumer reporter Bob Sullivan that fraudsters are specifically targeting the mobile app’s users to drain their accounts then siphon off even more money when the auto-reload function kicks in appears to be accurate. Sullivan reported this week that fraudsters are taking over users’ Starbucks accounts, changing the usernames and passwords, sending themselves an e-gift card with whatever funds are loaded in the account, and using the auto-reload feature—after they have increased the amount automatically reloaded with a linked credit card—to reload the account and repeat the process.
Starbucks appears to be taking umbrage at the usage of the word “hacked” in media reports, suggesting criminals obtained the account data from Starbucks’ own network. The company said in a statement yesterday, however, that “unauthorized activity on [customers’] online accounts… is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks.” But, wherever the fraudsters obtained the usernames and passwords to effect the account takeovers, clearly the community of cyber thieves is aware of and has been hammering away recently at this particular vulnerability.
Account takeover has become one of the most common types of fraud directed at online merchants and consumers. Starbucks may be the one answering question publicly because of the sheer popularity of its app. It remains the most successful mobile payment deployment by any merchant. During the Seattle-based coffee giant’s Q2 earnings call just three weeks ago, CEO Howard Schultz said customers loaded a record $1.1 billion on their Starbucks cards in the second quarter. The company reports 16 million active users of the mobile app make eight million mobile payments a week, accounting for nearly 20 percent of all transactions at its U.S. stores.