Coffee giant Starbucks has hit back at news reports claiming its mobile app was recently hacked, arguing that poor password management on the part of individual customers has led to their credit cards details being breached.
It was claimed by multiple news sources that hackers had hijacked the accounts of hundreds of Starbucks mobile customers, stealing any funds stored on their devices and then the associated debit/credit card information.
This represented a major PR disaster for the coffee behemoth given that a sizeable chunk of its revenue now comes via its industry-leading mobile app.
However, the firm branded those claims false on Wednesday in a lengthy statement, which had the following:
“Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.
If a customer believes their account has been subject to fraudulent activity, they are encouraged to contact both Starbucks and their financial institution immediately. Customers are not responsible for charges or transfers they did not make. If a customer’s Starbucks Card is registered, their account balance is protected.”
The firm urged its customers to create stronger passwords, change them frequently and not to reuse the same log-ins over multiple sites.
It also advised patrons to change passwords if their mobile devices get lost or stolen.
Webroot threat researcher, Roy Tobin, argued that large organizations cannot wash themselves of all responsibility, even if their customers are to blame for security breaches.
“Companies must anticipate this vulnerability by implementing more rigorous security processes, making it harder for hackers to access their customers’ accounts,” he added.
“Best practice for mitigating this is the implementation of a two-factor authentication process that requires the user to verify their identity when logging in from a new device or location whenever financial details are accessed or used. This extra security hurdle can effectively stop hackers in their tracks, while alerting the user to the unauthorized attempt to access their account and prompting them to change their password.”