Starbucks accounts are an interesting hybrid of gift cards and debit accounts, but that means that they lack the protections of bank accounts. Consumer reporter Bob Sullivan broke this story, sharing the stories of readers whose accounts had been breached.
The problem is that by changing a user’s Starbucks account password, scamsters can repeatedly transfer the victim’s balance to a card of their own, and this amount is theoretically unlimited as long as the victim has auto-reload turned on. (If you use the Starbucks card or app and have auto-reload turned on, leave this page and go turn it off right now. Don’t even finish reading this paragraph. Why are you still here?)
This fraud is similar to the malfeasance that got the Jonathan’s Card social experiment shut down.
Sullivan contacted Starbucks about the scam, and they couldn’t provide specifics. In a statement to Consumerist, Starbucks recommends common-sense solutions: don’t make “coffeeeeeeee” the password to your Starbucks account, for example. Here’s their full statement:
Customer security is incredibly important to us. We have safeguards in place to constantly monitor for fraudulent activity and, like all major retailers, work closely with financial institutions to make sure our customers are protected. We also encourage our customers to use several best practices to ensure their information is as protected as possible such as using strong passwords, unique user names/passwords for online accounts and changing their passwords often. Customers are not responsible for charges or transfers they did not make and if a customer’s Card is registered, their account balance is protected. If a customer sees unauthorized activity on their account, we encourage them to contact us immediately.