Courtesy of Starbucks

It's because too many people reuse passwords.

Mike Pomranz
May 10, 2017

People have a surprising amount of money invested in Starbucks. As we wrote about last year, through the first quarter of 2016, customers of the coffee chain have a combined $1.2 billion loaded onto Starbucks cards and the Starbucks mobile app. Pushing use of the mobile app has been an especially big priority for the company and mobile transactions now account for about a quarter of all Starbucks transactions. So with so much on the line, you’d think that America’s most common coffee shop would take extra care to make sure all that mobile money couldn’t be compromised. But a recent report suggests that, when it comes to protecting online transactions, the ‘Bucks might not be up to snuff.

Late last month, some Starbucks’ fraudster hacked the wrong person. Reporter Vanessa Wong has broken a number of major food stories for BuzzFeed News, so when she noticed unauthorized activity on her Starbucks mobile app she immediately began scratching beneath the surface.  Late last month, someone reloaded her Starbucks account with $100 through her linked credit card, and then immediately emptied it at a store in San Diego. In the end, the coffee brand canceled the $100 charge and refunded Wong’s previous balance, but this incident revealed a larger problem: Starbucks is still more vulnerable than many other major brands when it comes to potential hacks.

At the heart of the issue is that Starbucks doesn’t yet use two-factor authentication. This means all criminals need to hack your account is your username and password. Once someone has that information, they can access your account from anywhere without triggering the additional security concern that the activity is coming from an unusual device or location.

Security flaws are common nowadays, but what makes this incident troubling is that Starbucks addressed these issues way back in May of 2015. Importantly, as Starbucks said then and has reiterated now, the company hasn’t been hacked itself. These app breaches are caused on the consumer end due to people reusing usernames and passwords from other sites that have been compromised. And even back in 2015, Starbucks explicitly stated, “Customers are not responsible for charges or transfers they did not make. If a customer’s Starbucks Card is registered, their account balance is protected.” The company stresses it’s their problem, not yours.

Still, you’d think Starbucks would want to address this ongoing issue. Money lost to fraud is money lost. And though the brand says it will protect customers’ accounts if there are unauthorized charges, that only applies if customers realize they’ve been hacked. Meanwhile, in response to an inquiry about potentially increasing security from BuzzFeed, Starbucks ambiguously stated, “While we do not share specifics on future security protocol timelines or practices, our security and anti-fraud teams actively continue to develop, and invest in, enhanced protection measures, further strengthening our platforms.”

So as with any online account, it’s important to keep an eye on all your transactions just in case. And though Starbucks also stated that “only a tiny fraction of one percent of our account holders” have issues with unauthorized payments, it probably wouldn’t kill you to have different passwords for all your accounts, Starbucks included.

RELATED: BuzzFeed Now Sells Its Own Branded Coffee