This post has been corrected.
Any time you link an app to your bank account or credit card, you better use a good password. That seems to be the takeaway from a recent spate of thefts suffered by people using the Starbucks app, which lets you pay for coffee using your smartphone.
As reported by journalist Bob Sullivan and CNN, victims noticed that their accounts had illicitly been used to buy Starbucks gift cards worth hundreds of dollars, which can then be sold on the black market.
An Orlando woman named Maria Nistri told Sullivan that someone accessed her Starbucks app account and changed the username and password. The thief used the existing $34 balance to buy a gift card, waited for the app’s “auto-fill” function to withdraw more money from her bank account, and then stole another $100 within a few minutes.
Jean Obando of Sugar Land, Texas had $550 stolen via his Starbucks app, which was linked to his PayPal account, he told CNN.
Starbucks’ gift cards and smartphone apps are hugely popular, and constitute their own currency of sorts. One in seven Americans received one of its gift cards last year, and users load billions of dollars onto them every year. The company’s smartphone app, which is also available for the Apple Watch, accounts for about one in every six transactions at its US outlets.
The company was quick to dismiss any suggestion that its own systems had been hacked, and pointed the finger at users who chose insecure passwords to protect their accounts. It said in a statement:
Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.
In a separate incident in January, Starbucks came under fire for a security vulnerability that might allow app passwords to be stolen, but the company quickly issued an update that fixed the issue.
Correction (May 14th): An earlier version of this post incorrectly named journalist Bob Sullivan as Bill.