Skip to main content

Starbucks app compromises thousands of user passwords

The Starbucks mobile app offers a certain convenience when paying for your venti non-fat, no-foam, six-pump extra-hot chai tea latte. But turns out, it could also compromise your security.

According to a report by Computerworld, the massively popular international coffee chain has been storing user names, email addresses, and passwords in clear text. Connecting a smartphone with the Starbucks app installed to a PC, the password is easily accessible, the site said.

A spokeswoman today told us that its customers' security is "of the utmost importance to us," and that the company actively monitors for risks and vulnerabilities.

"While we are aware of this report, there is no known impact to our customers," she said in a statement. "To further mitigate our customers' potential risk from these theoretical vulnerabilities, Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way."

Available for iOS, Android, and BlackBerry since 2011, the application boasts the title of most used mobile payment app in the US, and provides Starbucks fans with a sort of digital gift card that can be reloaded and used at any of the chain's American locations.

Conveniently, customers must enter their password only once—when activating the app's payment options, and again when adding money to the saved card. Every transaction can then be made with a simple smartphone scan at the register, eliminating the hassle of searching for change or swiping of a credit card. But that convenience also has security risks, apparently.

According to Computerworld, security researcher Daniel Wood first discovered the password visibility late last year. After failed attempts at contacting Starbucks, Wood on Monday published his findings, along with a list of iOS-specific best practices for storing user data.

The Starbucks app version 2.6.1 launched in May for iOS, but has earned a measly 2.5-star rating, ironically gathering complaints about how the app fails to remember passwords or erases card and account information.