Thanks a Latte: Starbucks App Leaves Passwords Exposed

Ten million users of the Starbucks mobile app may be in for a tall cup of trouble. Yesterday it was discovered that the popular app, which allows customers to purchase drinks and food through their mobile device, has been storing customer data including email address, password, and location data in plain text on users’ devices. What does this mean for you, the Starbucks patron? Luckily, the threat level is minor, especially compared to some of the other breaches we’ve seen this year, but it does serve as a reminder that our data is not always as secure as we may think.

The flaw in Starbucks’ mobile app was first discovered by security researcher, Daniel Wood, who performed a test to determine whether his own information was secure within the app. What he found was that his login information (including user name and password) as well as previous global positioning system (GPS) location data could be viewed in plain text on his device. Hypothetically, if a thief got his hands on your mobile device, and was equipped with the right know-how, this information could be obtained through the Starbucks app and used for malicious means.

Let it be known that this is not a data breach, nor have hackers successful retrieved any Starbucks’ customer information through this security flaw. Additionally, Starbucks has released a statement that they’re “working to accelerate the deployment of an update for the app that will add extra layers of protection,” in order to seal up this vulnerability.

This latest piece of security news is less “urgent-threat,” more “gentle-reminder.” This incident should serve as a reminder of the importance of using separate login credentials (especially passwords) for your different accounts and apps. It also comes as a reminder that mobile scams and attacks are on the rise—and climbing at a faster rate than security professionals are often able to keep up with.

According to a recent report, there is a shortage of more than one million security professionals across the globe. This means that the growing sophistication of cybercriminal attacks has outpaced the ability of IT and security professionals to address these threats. Unfortunately, where security vulnerabilities exist, cybercriminals will find their way in. As a result, many vigilante hackers have taken it upon themselves to bring such vulnerabilities to light.

We’ve also made it our duty to discuss growing threats, and address which should be of concern to you—in protecting your identity, your devices, and your wallet. Below are some tips to keep your mobile device safe from rogue apps and stealthy cybercriminals.

  • Update your apps. As noted above, Starbucks will be releasing an update to their app to address the newly discovered security vulnerability. They’re not alone in doing this. Many companies release updates to patch up newly discovered bugs, so it’s important to run these updates as they’re released. This is especially true for Android users, as these devices are much more susceptible to cybercriminal antics. In 2013, 99% of all mobile malware targeted Android devices.
  • Create a variety of strong passwords. In the event that a cybercriminal was able to access the plain text data stored on your Starbucks app, you wouldn’t want him or her to have unrestricted access to your entire online life now, would you? It’s important to create a variety of unique and strong passwords to use across your apps and accounts. Strong passwords generally contain all four character types: upper and lower case letters, numbers, and special characters such as exclamation points or pound signs. McAfee LiveSafe™ service can help you create and remember strong passwords for all of your online accounts.
  • Think twice before downloading that app. Just think: if an extremely reputable brand like Starbucks has this kind of security vulnerability in their app used by 10 million people, what kind of vulnerabilities are in your other apps? Think twice before downloading new apps, especially if they don’t have many reviews, and always download from an official app store.
  • Protect all of your devices with comprehensive security. Keep your personal data out of the hands of cybercriminals by installing comprehensive security software on all of your devices. McAfee LiveSafe protects PCs, Macs, smartphones, and tablets from malware, viruses, and other cybercriminal attacks.

To stay up to date on the latest consumer security news, follow @McAfeeConsumer on Twitter and Like us on Facebook.

UPDATE: Jan. 22

Starbucks released an update to their mobile app on Thursday, Jan. 16, that fixes the security vulnerability described above. Additionally, the company is working on a followup update to the app to add extra levels of security—ensuring that users can access and make purchases through the app with confidence.

There has been no indication that any Starbucks app user has been impacted by the vulnerability, nor that any customer data has been taken.

Gary Davis

Leave a Comment

12 + seven =