May 18, 2015

When it comes to reporting on breaches involving customer accounts at major brands, the news media overall deserves an F-minus. Hardly a week goes by when I don’t hear from readers about a breathless story proclaiming that yet another household brand name company has been hacked. Upon closer inspection, the stories usually are based on little more than anecdotal evidence from customers who had their online loyalty or points accounts hijacked and then drained of value.

javamessThe latest example of this came last week from a story that was responsibly reported by Bob Sullivan, a former MSNBC journalist who’s since struck out on his own. Sullivan spoke with multiple consumers who’d seen their Starbucks card balances emptied and then topped up again.

Those customers had all chosen to tie their debit accounts to their Starbucks cards and mobile phones. Sullivan allowed in his story one logical explanation for the activity: These consumers had re-used their Starbucks account password at another site that got hacked, and attackers simply tried those account credentials en masse at other popular sites — knowing that a fair number of consumers use the same email address and password across multiple sites.

Following up on Sullivan’s story, the media pounced, suggesting that Starbucks had been compromised. In a written statement, Starbucks denied the unauthorized activity was the result of a hack or intrusion into its servers or mobile applications.

“Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account,” the company wrote. “This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.”

In most cases, a flurry of fraudulent account activity targeting a major brand is preceded by postings on noob-friendly hacker forums about large numbers of compromised accounts for sale, and the publication of teachable “methods” for extracting value from said hacked accounts.


Unsurprisingly, we saw large numbers of compromised Starbucks accounts for sale in the days leading up to the initial story about the Starbucks fraud, as well as the usual “methods” explaining to clueless ne’er-do-wells about how to perpetrate fraud against hacked accounts. Here’s another noob-friendly thread explaining how to cash out compromised Subway accounts; how long until we read media reports shouting that Subway has been hacked?

To be sure, password re-use is a major problem, and it’s a core driver of fraud like this. Also, companies like Starbucks, Hilton Honors, Starwood and others certainly could be doing more — such as offering customers two-step authentication — to protect accounts. Indeed, as these recurring episodes show, affected brands take an image hit when customers have their accounts hijacked through password re-use, because the story inevitably devolves into allegations of a data breach at the brand involved.

But it works both ways: consumers who re-use passwords for sites holding their payment data are asking for trouble, and will get it eventually.

For helpful hints on picking strong passwords (or outsourcing that to third-party software and/or services), check out this primer. For further reading about how penny-ante punks exploit password re-use and trick media outlets into falsely reporting breaches, see How to Tell Data Leaks from Publicity Stunts.

48 thoughts on “Starbucks Hacked? No, But You Might Be

  1. markD

    Please, what’s a “noob”?

    “In most cases, a flurry of fraudulent account activity targeting a major brand is preceded by postings on noob-friendly hacker forums about large numbers of compromised accounts for sale, and the publication of teachable “methods” for extracting value from said hacked accounts.”

    1. JimV

      noob = newbie = someone who is unfamiliar with and/or newly-acquainted with parameters (technical, social, procedural, etc.) or key aspects of electronic/Internet life

      Use of the term has become far more widespread than just Internet-related, and seems to have been adopted by many toward more universal applicability.

    2. Dinika

      Well, a ‘noob’ is someone who is inexperienced (mostly in technical fields). So, I really think the sentence that you quoted above means that once the databases of these top brands are hacked into, and valuable information (such as credit card or debit cards numbers) about their customers is obtained then various maleficent website posts easy to follow methods to extract value (money, generally) from the breached accounts. These methods are often explained in a way that’s easy to follow, which is why even a newbie (or a noob) can understand them.

  2. Kevin

    Not carrying cash is a convenience? I call it laziness. People need to take charge of their own finances. If someone is using plastic to pay for a $5.00 item I think they should rethink their financial and retirement strategy.

    No one deserves to be hacked, however if you do not carry at least $20.00 to $50.00 in cash I must question your intelligence.

    All good men carry cash.

    1. Tucker

      Different strokes. I personally get a higher percentage on my balance if I get a set number of transactions per month. Small purchases are perfect for reaching this goal.

      1. Kevin

        How much is a cup of coffee at Starbucks anyway? I make office at home and have no idea.

    2. Freddie

      If you think “If you do not carry at least $20.00 to $50.00 in cash I must question your intelligence. All good men carry cash.”, I must question your intelligence.

      1. JJ

        Since reading Krebs on Security back in December, I have paid for everything with cold, hard cash. I like to think myself intelligent. Correlation is not causation, but … still…

      2. markD

        Anyone who starts distracting with insults about intelligence ought to have their posts removed. Especially the one who targeted a specific commenter just now, whereas the first one just made a blanket comment about no one in particular.

    3. Greg D

      What you call laziness, I call convenience. I don’t have time to stop by the ATM everyday to withdraw cash for my daily purchases. Nor am I tempted to constantly purchase junk I don’t need because I carry plastic. Get with the times, man.

      1. pboss

        Note that studies show that people who use credit cards for everything tend to spend more than if they had to use cash. Even folks who pay off their balances every month. When you use cash, you think harder about whether to buy something.

        1. Anon

          > When you use cash, you think harder about whether to buy something.

          Ha! No way for me. I use cash exclusively for the things I don’t think about extensively:

          1) Bar expenses
          2) Tips for bands
          3) Festival foods and beverages

          Pretty much every other establishment I frequent deals with cards at least as well as they do cash.

          I never carry more cash than I’m willing to lose to either theft or drunken excess. All thought occurs well before the spend – very little occurs during beyond “do I have enough here to buy another round?” and occasionally “how much have I already given this band?”

          Admittedly, I’m not in a typical environment and my behavior may be non-standard. But I’ll definitely be an exception to the “you” in that sentence.

          Otherwise, I use a card for every purchase I can.

          1. Neej

            Unfortunately for you pboss is absolutely right. And you my friend are thoroughly misunderstanding the situation like many users of plastic.

            The reason we know people – a large majority of people – spend more using plastic is this is easy to measure: one simply forms two randomised groups and sends them shopping under a false pretext so they will not consciously try to alter the outcome of the experiment.

            As pointed out we find out that people spend significantly more when they use plastic.

            The bad part for you and where I believe you might help yourself by adjusting your attitude is the process of spending more is entirely unconscious. It is impossible for you to know whether you have spent more as a result of a decision to use plastic rather than cash.

            So the smart person will realise that their rational interpretation of their actions is actually not driven by a rational unconscious and will assume they spend more with plastic simply because there is no way to know and that’s what the odds favour you as being.

            In these types of experiments there has never been a case of a “magic” person who was able to act in a rational manner – meaning consciously. So what do you suppose the chances of you being a special case are?

    4. Alan

      Anyone who uses cash when they can use a reward card is not taking control of their finances. Why use cash when I can use a rewards card that I pay off ever 2 weeks. I question the intelligence of anyone who makes absolute statements.

      1. JCitizen

        +1 to you Alan!

        Exactly – I get from 4 to 6.5 % cash back on fees for my debit card. I only used it at stores locally. I monitor it everyday for new transactions, so I can stop any thing within the 48 hour time limit to get all my money back if a merchant gets cracked.

        It is worth the time to do that, because it is easy, and I get more back than using cash for the price. I call that smart, not lazy. I feel like people that use cash are the crazy ones! For all other purchases I use rewards credit cards also. I get enough back I can shop for free at Amazon or other stores online every other month or so. I usually get 25 to 50 bucks on a temp card, and no cracker is going to abscond with that, because I make sure it is a one time use, and fully spent, then I shred it.

    5. Invalid Username

      Kevin, you couldn’t be more wrong. I never carry cash because cash can’t be replaced if lost or stolen. A piece of plastic can be cancelled, if lost or stolen, with a quick phone call.

      Only idiots carry cash.

      1. Mahhn

        I must be an idiot. I carry 3 to 8 hundred all the time. Only use the card (fuel and internet purchases) to keep a credit rating. I am “very” good with my money and investments. If saving 50%+ of my paychecks for life is being an idiot, I’m happy with that. Robbed? Card info is more likely to be stolen than I am to get mugged. I never use an ATM. Visit the bank twice a month on the way home (deposits and cash). Try getting your neighbors kid to mow the lawn for credit. I “never” pay a fee to use my money.

        1. Kelsey

          3 to 8 HUNDRED?! I think you need to rethink your absolute statement.

        2. Anon

          > Card info is more likely to be stolen than I am to get mugged

          You must live in a very safe place – I’m glad for you! But even so, if/when your card info is stolen you should not suffer any direct financial loss.

    6. Soy Tenley

      “Your Cash Ain’t Nothin’ But Trash” as sung on the album “The Joker” by The Steve Miller Band

      and earlier by The Clovers.

  3. Dunkin

    The term “hack” has become synonymous with a creative way to get around the system – as in “life hacks”. So, while they may not have been technically “hacked”, they most certainly have allowed the fraudsters to get around their systems.

    All businesses are entrusted by their clients to protect them. The banks figured this out a while ago and have since taken a very aggressive approach to protecting accounts. Merchants need to do the same.

    It should be any business’ fiduciary responsibility to protect the consumer – period. Even when the consumers are careless and cavalier about protecting themselves online.

    And, considering where the money goes, shouldn’t we ALL take a more serious stance to wipe out fraud – not just control it? Instead, we’re placing blame on weak passwords?

    Many businesses take a calculated risk on weighing an “acceptable” fraud level vs client experience and converting it back to revenue/profit objectives. Was this *$s methodology? Only they know. And if they did, I wonder if they weighed the impact on negative press.

    Hypothetical, yet serious question… What would Howard Schultz (or any CEO) do if he knew that money that was stolen from them was used to buy rocket propelled grenades to harm our soldiers?

  4. Rodney Thayer

    I agree most members of the press do terribly at reporting on “hacking”/”cyber” incidents. I’ve been thinking about issuing report cards when they get it right. Even on his bad days Brian seems to get middle B’s and above 😉

  5. Mike

    It is interesting that more and more of these kinds of issues are taking place and at what seems to be a faster rate.

    People get that look on their fae when WinXP is seen or mentioned and while XP is becoming much less an issue as time goes forward, these problems don’t. People act as if the world could have all it’s problems fixed when no one uses XP anymore.

    Does Starbucks currently run on XP?

    What possible update/upgrade will solve this problem? Maybe Windows should be abandoned all together? But then, Mac and Linux have security issues themselves.

    1. Chris M

      Security isn’t about any one avenue of attack. Simply changing OS isn’t enough to protect you, but then, not upgrading from XP is enough to doom you.

      Think of it like physical security of your house. A burglar is hardly going to give up when he finds the door locked, is he? He’s going to try the windows, and any other entrance as well.

      1. Mike

        Keep in mind that half of what I have runs Linux.

        “…not upgrading from XP is enough to doom you.”

        I see absolutely nothing about this conjecture that supports any real truth. There are too many things going on out there that at the very least suggest it has nothing to do with XP one way or the other and at most has more to do with general apathy and high levels of ignorance with regard to computer technology. Running XP (or any particular OS) does not “doom” you. What will doom you is becoming sheeple, not only allowing someone else to make your decisions for you but demanding they do so.

        There is simply too much evidence out there that these things can be controlled if not corrected. It will never get corrected as long as such massive percentages of the population remain so brainwashed.

  6. funny

    Krebs you did not dissapoint in this article, entertaining as ever as you grasp at stuff you don’t know. The insults you make while doing it are hilarious as ever and the fact people take you seriously is beyond me.

    1. Username Invalid

      So “funny” gets his jollies by trolling a message board. The insults he makes while doing it are hardly hilarious and the fact that he takes himself seriously is pathetic.

  7. zoxim

    So last week I get a letter from Citi telling me that, because of a “breach at a retailer”, they are sending a new card with a new number. Card arrived 5 days later. When I called to activate it I asked the person who the retailer was that was breached and why wasn’t I notified by that company when said breach occurred. The rep said that “there are so many breaches that we can’t keep track of them”, and she would not disclose what retailer was responsible. It’s left to me to constantly monitor my account to look for suspicious activity. This problem just seems to be getting worse by the day. Just how much money and time is being lost to this?

    1. markD

      The scariest part is that only as much as Brian digs up is what we enjoy, and even he has to eat and sleep sometime!!!!

    1. Infosec Geek

      What could possibly go wrong?

      How much will this increase the attack surface?

  8. martha

    I have a question for anyone who can answer. My credit card number has been used for Starbucks cards etc repeatedly even after CC co. changed number and sent me a new card(5 new cards needed in last six months.)
    I know who used the card in multiple instances because he used his own name, address and phone number to order food delivered to his apt. via Postmates. I verified through his apt. manager that he lives at this address in San Francisco. I contacted both CC Co. and Postmates and nobody will follow up with this criminal. Why?

    1. nov

      My guess is not “why”; but what’s the correct area of responsibility. I’d file a report with law enforcement.

    2. MadVirgo

      My concern is how is he able to get your information about each new card, and then use it again and again? Is the CC Co. that susceptible to social engineering? And yes, I agree with ‘nov’–time to get law enforcement into this. I had to do that, and after bouncing between two jurisdictions, they found the perpetrator, and I have a court date–though I don’t know why; wasn’t there when whatever breach took place.

    3. Soy Tenley

      My credit card bank – Chase – maintains account information about me with an identification that is independent of the card number – that is how they are able to transfer the balance of a card they have canceled to the new card they have issued to me, whether it was to replace an expiring card, or a physically stolen card, or a card they replaced due to widespread hacker attacks. The last card replacement they changed me from a MasterCard to a Visa card. They explained this so long ago I have forgotten how they explained it. It might be buried in a box full of never-trashed statements that go back to the mid 1990’s.

      I suspect that what is happening to you is this : someone has acquired your identity information that resides within your credit card company/bank and knows your new card number as soon as it is issued. In other words, insider information.

      My suggestion is that you open an account at another bank or credit union and get a card through those people, cancel your current card account completely, and then see if the other person is still able to get that new credit card number.

    4. markD

      Every week I hear about someone else in my particular circle having an incident of some sort.

      What you might do, if you can tolerate some mild inconvenience, is spend the $180 or so to freeze your credit at all three credit bureaus, and thereafter only unfreeze per credit application.

      Better yet is to ALSO get off the credit card addiction period, and only keep them for situations where you absolutely must have one, such as car rental.

      Thereafter, obtain a “re-loadable debit card” through your bank or Credit Union, I use Visa’s Atira product. It is not linked to any other account, and you can only fund it two ways: in person at the bank, or on the phone live to a live teller (thus meaning during bank business hours). Yes, it means that Saturday night if you want something you haven’t already funded, you have to wait til Monday morning. Visa’s reloadable debit card, called “Atira,” allows up to fifteen deposit transfers per month, so you don’t need to keep much of a balance at all, and only need fund it when you plan a transaction. The most you can lose is whatever you have placed in the account at any one time…so all you have to do is keep just enough that you can get by until the next live-teller business hours. If it’s compromised, you just close it and then start a new account. Atira does not allow deposits except direct by you at the bank office or on in-person-telephone authorization to a live teller. You can only draw cash once per month free, but a few times a month you can stop by the bank and draw spending cash. Thus you are spending cash mostly, and using your debit card when cash is not convenient, and none of it is linked to other accounts. Once set up it is not really cumbersome.

      I think it became worth the trouble when I decided, after seeing some people lose their identity and have it ruin their lives for a very very long time thereafter, and then one day hearing three people in a row at the credit union, employees no less, tell me they’d had their identity stolen, that my business is something they should have to try for, rather than me beg and risk myself for their grand convenience. I decided that I would not be the slow addict or slave anymore. My identity is something that I am now willing to insist merchants and financial institutions protect, and repay me for losses on top of that, in order to win my business. Until then, until we get a two step process universally, and chip&pin everywhere, they can go spit. Eventually enough of us will require it that we’ll get some two step solutions more widespread. (I hope!!)

      It’s worth it to go back to cash and freeze my credit.

      Lots more peace of mind now, and I have learned about discipline such that if I really want something expensive, I have to wait until the next business-hours live teller at the credit union. My only bad habit now is at the pump, where I still use a credit card, and I am working on that bad habit.

      Between that and having my credit frozen at all three of the credit bureaus (at the time it cost me about $180, and it can be lifted temporarily any time I myself want to apply for a new credit card). Cash for gas and incidentals isn’t so horrible to carry. For everything else that will be online I use that Atira, and the near zero cash balance (never more than about $100) means that the most I can lose is what I can afford. yes I lose the nickels and dimes of incentives. For coffee, stores and etc. I just use cash. It’s a good habit and I am a lot happier. No store cards, no club cards, and so I don’t get the little ticky benefits, but I sleep a whole lot better. Too much convenience leads to indolence anyway.

  9. GadgetComa

    Here’s a basic question …

    Why doesn’t Starbucks limit the frequency of the auto-reload? It’s insane that the Starbucks account will auto-reload without limit, allowing large amounts to be siphoned off through this hacking. Does anyone need to reload their Starbucks card more than once a week or even at the extreme, once a day?

    This is another flavor of ‘least privilege’ that is constantly overlooked.

    1. Sam

      It is not in Starbucks interest to provide any impediment whatsoever to your purchasing capabilities on the go!

  10. martha

    Thanks to everyone who answered my question and had great ideas on how to keep it from happening again.

  11. Elfriede

    I want to thank the H.A.C for making me smile again after so many years of suffering and being scammed trying to get a loan, i tried everywhere trying to make money but all to no avail until i came accr0s a so many comment of how a lot of got a hacked ATM card from the H.A.C organization. I never believed all these was true due to the alert of scams on the internet, but i had no choice that to give them a trial. I contacted {}. They responded and told me all about the ATM and i purchased one of the ATM card, thou i never thought i will get the ATM card, Until two days later i heard a knock on my door and to my greatest surprise i saw a courier service agent standing before that i have a parcel. I took the parcel and found out that is was the ATM card. I rushed down to an ATM machine to see if it will work but i was shock when 2000usd got out of the ATM machines and that was how i withdrew the sum of 50,000,00usd out of the card. This might sounds crazy, but its the truth. Contact {} if you need help of becoming rich.

  12. jessica


    Hello everyone. There is a new way of making cash, although it is illegal but also a smart and easy way of living big. I used to be a barrack girl until i became eager and decided to change my life one way or the other. I got opportunity to register for the militant amnesty through connection thereby taking me out of the country for training in the United States for a period of 3years. To cut the story short, during my training i made some white friends who were geeks and also experts at ATM repairs, programming and execution who taught me various tips and tricks about breaking into an ATM. with my knowledge gained from my white geek friends, i have been able to counterfeit and programme a blank ATM card using various tools and software’s. I have ready-made programmed ATM cards or if you want to learn you are also free to contact me.. I am just 29, my family are in USA and i have cash, i have a car, i live in India and i travel all around the world. i do my things on a low-key to avoid suspicion. Some of you will wonder why i am selling this out if truly i am already living large. It is because it is hard task doing it yourself, i wont lie to you, its not easy to hack ATM talk more of to reprogramme the card alone. It takes days and sometimes weeks. Some of you will want the ready made card to avoid the stress of doing it yourself and i don’t give the ready made card out for free because i spent days trying to make it available for you. e-mail me. ( for more information, request of the ATM,explanation and inquiries. NOTE: the ATM card has no pin, no registered account number. It has no limit for withdrawal and it is untraceable. You can collect money from any account just by typing the persons account number e-mail me. (

Comments are closed.