Nearly a third of Starbucks’s purchases are now made via its mobile app. That’s a ton of sales (about a billion dollars’ worth) that rely on personal credit cards, so it’s fair to assume app security is a top priority for the company. It’s a little weird, then, that so many of the app’s users have been complaining recently about fraudulent activity on their accounts. In fact, BuzzFeed News reporter Venessa Wong had hers compromised a few weeks ago. She watched remotely as some rando across the country in San Diego reloaded 100 of her dollars onto the app, then spent it on … whatever a person spends $100 on at a Starbucks. Her story noted that this particular security vulnerability (likely the result of crooks obtaining stolen log-ins from hacked websites, then giving them a try on the mobile app) is an ongoing one for Starbucks — and that it stretches back to at least 2015.
A lot of hacked customers have taken their complaints to social media, in many cases to publicly shame Starbucks into finally implementing additional security measures:
Instead, Starbucks’s response has so far been to pat itself on the back for having “a team of engineers dedicated to advancing security and fraud prevention.” In a statement to Good Housekeeping, which reached out to ask why so many customers were getting hacked, the chain says that thanks to this crackerjack in-house security team, only “a tiny fraction of one percent” of account holders have problems. And it suggests these individuals should try just not having such crappy passwords: “We strongly encourage our customers to follow best practices to protect their accounts.” Get rid of those “coffee” passwords right now, and pray Starbucks will add two-factor authentication to its app.