Hackers Squeeze Cash Out of Starbucks Addicts

By guessing passwords or stealing credentials that individuals unwisely used for multiple accounts, “criminals are hijacking consumers' coffee accounts, draining the stored value of their cards, and then using Starbucks' auto-reload function to hack consumers' associated debit and credit cards,” CNBC reports.

Maria Nistri, 48, said it happened to her. Early on May 6, criminals stole $34.77 that the Orlando, Fla., resident had loaded onto her Starbucks app by transferring it to a giftcard they controlled. Immediately, her account was reloaded with $25 because her balance had hit zero. The criminals stole that, too.

“Then they upped the ante, changing her auto-reload amount to $75, and stealing the $75, all within seven minutes,” according to CNBC.

Nistri was able to document the episode in real-time because an email had alerted her to a change in her account.

"It was crazy. I was like, 'What in the world?'" Nistri said. "I was lucky I happened to check my email when I did. Otherwise, who knows how much they would have gotten?"

Whereas traditional industry fraud-fighting software typically flags unusual shopping patterns, such as an attempted jewelry purchase in a foreign country, small auto-reload purchases at Starbucks don't trigger such warnings.

Attacks like that on Nistri's account work because many Starbucks customers link their payment cards to the giftcards that are loaded onto their mobile payment apps. Also, they are successful because criminals who access victims' Starbucks.com accounts can simply move value from a consumer's giftcard to a card they control. 

Complaints about lost Starbucks value and related credit-card fraud are easy to find on various forums devoted to the crime.

A security expert familiar with the Starbucks attacks who requested anonymity said the company has been fighting off password-guessing “brute-force” attacks on its website. When hackers pilfer a large database of usernames and passwords from any site, they often run the list through other large sites, looking for "hits." Such attacks – which are common at any large e-commerce site -- work because many consumers use the same username and password across multiple sites.