Starbucks Mobileapp Did not get hacked – user accounts got hacked

And this issue even though being a “new news story” as of 6 hours ago from ibtimes.cp.uk

http://www.ibtimes.co.uk/starbucks-customer-accounts-hacked-through-smartphone-apps-1501118

Which originally got going with Bob Sullivan’s ‘scoop’

bobsullivanscoop

 

 

yes there is no need to know the account number, because all that is needed is the username, which is not the account number.  I have a Starbucks card, and do not have auto-reload set up like some of these users…

 

And this has been going on for months now, it is not new.  Here is a Forest Park,IL Facebook post on the Starbucks page January 7th 2014 – here is transcript:

“My Starbucks reward card was hacked Sunday night. Thieves bought 4 $100 gift cards. (they tied to buy 8) then sent me 4500 spam emails to try to make me miss the email notifications. Called Sun am and asked fraud dept to contact me. Also sent me miss the email notification. Also sent a message through the website. No call. Still out $400. Social responsibility not seeming to come into play on the individual level. Starbucks has my money but I am betting they cancelled out the reloads and egifts sent out fraudulently from my rewards account.”

starbucksgiftcardhack

So I think this is a classic authentication credentials hack – where the username was either stolen or found on other hacks, and then the password was hacked by the criminals.

 

Everybody keeps asking what can a hacker do if they hack into my computer?

well, they can steal authentication credentials, and then start siphoning money.  Look at the Starbucks account – it was hacked for $27 that was on there, and $400 in gift cards.

So, I should change my image and add Starbucks account with $400 on it.

tonyz-hackedemailacctworth

 

So I recommend not to auto-reload and only add money manually (at the store) like I do, it is not as convenient, but it is safer.

 

Remember – convenience means less secure.

One way to help test your users’ authentication is to pass user-password files across a battery of dictionary files just like hackers do, so that keeps your users honest with password simplicity.

Since one should not see a password as a rule, one can still test with programs like johnny:

Here is a link for the password cracking tool John the ripper:

http://tools.kali.org/password-attacks/johnny

The home page is at http://openwall.info/wiki/john/johnny

Contact us to help you with securing your network.

 

———————————————————————————-

Updated 5/19/15 – http://krebsonsecurity.com/2015/05/starbucks-hacked-no-but-you-might-be/  Brian Krebs wrote an article on this topic, and confirmed what I have stated here. Unfortunately for the users  Starbucks customers have gotten their accounts passwords hacked due to using the same userids and passwords on multiple areas, thus causing this problem.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.