Mmm… coffee. Millions of people have Starbucks accounts that allow you to participate in their rewards program, buy gift cards and even order a triple venti mocha right from your phone. These accounts are linked to one or more Starbucks cards which are backed by real credit cards or bank cards. It’s no surprise that these account are juicy targets for hackers.
A compromised Starbucks account combined with stolen credit card information can allow an attacker to fraudulently purchase gift cards and profit from unsuspecting coffee drinkers.
My wife recently received several unexpected emails claiming that she had purchased a number of “eGift” cards. My first instinct was to dismiss these emails as just another phishing attempt. But the curious messages kept coming so we took a closer look. They appeared to be legitimate messages from the company that handles electronic gift cards for Starbucks, the company’s name is CashStar. She didn’t order any gift cards, nor had she used her Starbucks account recently. In fact, she didn’t even know that she had an active Starbucks account.
If you notice suspicious activity like this, the first thing you should do is make sure that you have control of your account. Login and reset your password. If you don’t recall your password, you can use your email address to request a password reset.
Next, turn on 2 factor authentication to further secure your account before continuing your investigation. You’ll find brief instructions for enabling 2-factor authentication at the end of this post.
After resetting your password and enabling 2FA, take a look at your account details. Look for indicators that your account has been compromised such as bizarre contact information in place of your own. Review your transaction history and look at the payment cards that you have on file.
In our case, it looks like the account associated with our email address was using stolen credit card information to purchase gift cards. Check your credit card and bank activity. If one of your cards was compromised, contact your bank or card issuer immediately to stop the transactions.
It’s also possible, as in this case, that while the account in your name was used to carry out the scam, that your credit cards were not used. Either way, you’ll need to report the scam to Starbucks next. Don’t count on Starbucks to be super helpful, though. I spent over an hour trying to navigate their single customer service phone number, spoke to at least 3 people, was placed on hold multiple times, and even dumped to a generic voicemail at one point. Stick with it and you’ll eventually speak with the right person that can stop the fraudulent transactions and reverse them if necessary. Here is the customer service number you’ll need to get in touch with Starbucks: 800-Starbuc (800-782-7282).
Finally, consider deleting the account if you no longer use it or deleting it and starting fresh with a new account.
To recap, here are the steps to follow if you suspect that your account is being used for fraudulent transactions.
- Regain control of your account. Login and reset your password. Use a strong, unique password – something you haven’t used with any other account.
- Enable two-factor authentication. (2FA/MFA)
- Review account information, transaction history and credit cards on file.
- If your cards have fraudulent activity, call your bank or card issuer immediately.
- Contact Starbucks support at 800-Starbuc (800-782-7282) to report the incident.
- Consider deleting your account and starting fresh with a username and password combination that you’ve never used before. (And enable 2FA on the new account.)
Many of us would agree that our coffee is worth protecting – ok, ok, our privacy and money are important too. Go ahead an enjoy your beverage knowing that you are a little more secure than you were yesterday.
#SimpleSecurity
Should I be concerned if a phone rep from Starbucks asks for first 6 and last 4 numbers on my credit card. In order to refund my bank account? My cc is connected to my Starbucks app. They should already have my bank #.
I got the same emails, One email confirming a giftcard purchase and another right after saying it couldn’t be processed due to suspicious activity, I immediately went and changed password. Weird thing though, I already had the two factor on, yet never got any text code or warning someone was accessing my account….