Starbucks app hacked, auto top-up feature exploited

Hackers have successfully exploited a smartphone application used by the customers of global coffee franchise, Starbucks. The "rewards card" app allows users to pay for coffee and food with pre-loaded "rewards cash," using saved customer credit or debit card data, as well as other saved identity information.

Without initially knowing specific card details or account numbers, hackers were able to access Starbucks customers' rewards cards via the compromised app. They could then trace the data backwards to gain access to users' personal data, and reuse their credentials for subsequent attacks, specifically using the "auto top-up" feature which automatically adds cash value to the card from a linked bank or credit card account. Hackers were able to repeatedly "top-up" hacked accounts using this flawed feature.

"The key security takeaway from this incident is the fact that as a company, customers' security information often doesn't exist in a bubble," Roy Tobin, threat researcher at Webroot, commented in an email toSCMagazineUK.com. "Passwords are frequently saved to browsers or documents, and are repeatedly reused by customers across separate online accounts."

Tobin advises that the most effective way to mitigate identity theft is with a two-factor authentication (2FA) process that requires the user to verify their identity when logging in from a new device or location. "This extra security hurdle," he notes, "can effectively stop hackers in their tracks, while alerting the user to the unauthorised attempt to access their account and prompting them to change their password."

Sign up to our newsletters