Cyber Incident Victim: Starbucks Corporation
Date:
May 2015
Location:
United States of America
Summary
Attackers exploited stolen credentials from unrelated breaches to conduct brute force attacks on the mobile app, leveraging weak password practices and the absence of login attempt limits. Upon gaining access, they added fraudulent gift cards and transferred victim funds, further exploiting auto-reload features linked to payment methods to siphon additional money. The company confirmed its systems were not compromised and reimbursed affected customers for unauthorized transactions. This incident highlighted risks associated with credential reuse and insufficient authentication controls in payment applications, mirroring similar attacks observed in other mobile payment platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May 2015, Starbucks disclosed that unauthorized actors had compromised customer mobile app accounts to steal funds through a multi-stage attack exploiting weak password practices and application design flaws. Threat actors first acquired stolen username and password combinations from unrelated third-party breaches, leveraging the common practice of password reuse across multiple services. Using automated brute-force tools capable of testing hundreds of credential combinations per second, attackers systematically attempted logins against Starbucks' mobile app, which lacked account lockout mechanisms after repeated failed attempts. Upon successful access, attackers added new digital gift cards to compromised accounts and transferred existing balances to these controlled cards. For accounts with enabled auto-reload functionality—which automatically replenished balances from linked credit cards or PayPal accounts—attackers could repeatedly drain funds by initiating additional transfers after each reload cycle. Some attackers escalated theft amounts by modifying auto-reload settings, though Starbucks' notification system alerted customers via email or text when account changes occurred. The attack methodology differed from traditional retail network breaches like those affecting Target or Home Depot, as it exploited credential reuse rather than direct system intrusions. Starbucks confirmed its corporate systems remained uncompromised throughout the incident.
Starbucks responded by publicly clarifying that affected customers would not bear financial responsibility for unauthorized transactions, emphasizing that registered accounts had balance protection guarantees. The company advised users to employ unique passwords across different platforms, particularly for services storing financial data, while denying any breach of its internal networks. Security researchers from firms including Checkmarx and Lookout analyzed the attack pattern, noting that stolen Starbucks gift cards were typically resold online at or below face value to convert them into currency. Industry experts observed similar credential-stuffing incidents affecting other mobile payment platforms like Uber, highlighting systemic vulnerabilities in applications lacking brute-force protections and multi-factor authentication. Transaction data revealed the incident's potential scale, with Starbucks processing $2 billion in mobile payments during 2014 and mobile transactions constituting 18% of all sales at the time of the breach. No customer liability claims or financial loss statistics were disclosed by Starbucks beyond its reimbursement guarantee. The company did not implement immediate technical countermeasures such as attempt-limiting or mandatory two-factor authentication, instead focusing on user education regarding password hygiene.