According to reports, hackers have gained access to a number of Starbucks mobile app accounts.
The source of the compromise is reportedly due to account passwords being guessed or reused, giving attackers access to customer accounts through the application program interface (API).
If an attacker gained access to a username and password, he or she is able to refill the customer’s app account and then gift the balance to an attacker’s email address.
A key weakness that is being exploited is the lack of two-factor authentication, which should be available in any mobile app with purchasing capabilities in order to verify the transaction.
Hopefully, this incident will push Starbucks, and other applications used to make purchases, to reevaluate their payment systems’ security and enable two-factor authentication to mitigate the risk of fraudulent transactions.
Users of the Starbucks mobile app should ensure that they are using a strong, different password on their Starbucks account. If they use the same password for multiple accounts, this could leave them vulnerable if that password account is compromised somewhere else.
Similar reports of activity like this have been reported with other applications, as well, including Uber, who claims their systems have not been hacked.
However, their application also lacks two-factor authentication and if a user’s password is compromised, someone can use their credentials to request rides that are charged to their account.