Latest Starbucks card breach could stem from weak passwords

If you're relying on "frappuccino" as your password, then your favorite sugary afternoon beverage could end up costing you a good deal more than $5.

Time to wake up and smell the coffee: weak passwords are going to cost you -- big time.

Read this

Credit card fraud can be stopped. Here's how

After $4,000 of fraudulent charges from Brazil on my AMEX, I'm chasing down all my auto-payment accounts and frequently used commerce sites. Again.

Read More

For some people, nothing is more valuable than that morning cup of coffee, and Starbucks makes it ridiculously easy to grab fast on-the-go with gift cards, mobile apps and probably even more digital commerce options on the way.

But with such privilege comes a cost, and it's much more than just an overpriced caramel macchiato.

Turns out the only thing easier than paying with a Starbucks app is hacking into one, based on a scoop by consumer advocate blogger Bob Sullivan on Tuesday.

"Criminals are using Starbucks accounts to access consumers' linked credit cards," Sullivan wrote. "Taking advantage of the Starbucks auto-reload function, they can steal hundreds of dollars in a matter of minutes."

ZDNet reached out to Starbucks for comment. The coffee giant has not commented publicly yet on the matter.

Until the Seattle-founded chain announces some sort of resolution, Sullivan advised customers to turn off the auto-reload function at the very least.

Jonathan Sander, a strategy officer at research firm STEALTHbits Technologies, acknowledged no one knows exactly how hackers are stealing cash through Starbucks cards, but there is one obvious culprit: weak passwords.

"A word to the wise is that anywhere you have your credit card saved you should treat it like it's a locker where you keep your wallet," Sander added.

Starbucks has suffered a few technical mishaps in recent memory -- most recently a computer glitch in April affecting its point-of-sale system at locations nationwide.

The only pieces of good news to be gleaned from that event were possibly some free lattes and the promise no customer data was compromised.

Nevertheless, the latest potential breach puts a dent in Starbucks's ongoing strategy as a tech-friendly and increasingly mobile-first brand.

Brendan Rizzo, technical director for HP Security Voltage, suggested this week's Starbucks incident serves as a reminder to the responsibility that companies have in protecting customer data.

That data, Rizzo explained, includes names, home addresses, email addresses, and phone numbers, just to start. From there, he continued, hackers could exploit the data from simply selling it off to much more damaging spear-fishing attacks and identity theft.

Rizzo stressed, "Beyond the threat to customers' sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line."

UPDATE: A Starbucks spokesperson responded to ZDNet with the following statement:

It's important to clarify there is no "loophole" on Starbucks gift cards or breach of Starbucks information.

Customer security is incredibly important to us. Like all major retailers, we have safeguards in place to constantly monitor for fraudulent activity and work closely with financial institutions to make sure our customers are protected. We also encourage our customers to use several best practices to ensure their information is as protected as possible such as using strong passwords, unique user names/passwords for online accounts and changing their passwords often. Customers are not responsible for charges or transfers they did not make and if a customer's Card is registered, their account balance is protected. If a customer sees unauthorized activity on their account, we encourage them to contact us immediately.