NEW YORK (CNNMoney) — Thieves are stealing money from people’s credit cards, bank and PayPal accounts — by first tapping into their Starbucks mobile app.
Starbucks on Wednesday acknowledged that criminals have been breaking into individual customer rewards accounts.
The Starbucks app lets you pay at checkout with your phone. It can also reload Starbucks gift cards by automatically drawing funds from your bank account, credit card or PayPal.
That’s how criminals are siphoning money away from victims. They break into a victim’s Starbucks account online, add a new gift card, transfer funds over — and repeat the process every time the original card reloads.
These thefts were first reported by consumer journalist Bob Sullivan.
CNNMoney interviewed several Starbucks customers who in recent months have had this happen to them.
It happened to Jean Obando on the Saturday evening of December 7. He had just stopped by a Starbucks in Sugar Land, Texas and paid with his phone app. Then while driving on the highway, his phone chimed with a barrage of alerts. PayPal repeatedly notified him that his Starbucks card was being automatically reloaded with $50.
Then came the email from Starbucks.
“Your eGift Just Made Someone’s Day,” the email said. “It’s a great way to treat someone — whether it’s to say Happy Birthday, Thank you or just ‘this one’s on me.’”
He got 10 more just like it — in just five minutes.
Starbucks didn’t stop a single transaction or pause to ask Obando for secondary approval. All of them went through. When Obando told Starbucks he thought his account was hijacked, Starbucks promised to conduct a review. When Obando asked to stop the payments and refund his money, Starbucks told him to dispute the charges with PayPal.