Starbucks is still grappling with fraud involving its customers' online accounts and gift cards, with some victims seeing hundreds of dollars stolen.
Gift-card related fraud with Starbucks cards is not new, but recent victims were highlighted earlier this week in an article by journalist and author Bob Sullivan.
Starbucks officials could not be immediately reached for comment, although Sullivan wrote the company told him that customers would not be liable for charges and transfers they didn't make.
A comment thread started more than a year ago on Facebook has tales from many people who have been stung by scammers through their Starbucks accounts.
Those at risk are Starbucks customers who have linked either a payment card or PayPal to their online account, which can be used to send gift cards to others with a preloaded balance.
Fraudsters have been taking aim at Starbucks accounts for at least a couple of years. The card itself can be used to pay for items in a store, and the online account can be used to send someone an e-gift certificate by email. It's also a loyalty tool, with Starbucks offering free food and drink rewards and other discounts.
Like many online services, Starbucks requires a username and password to access it, which means cybercriminals who obtain those credentials can get in.
It appears that hackers have obtained large numbers of Starbucks account credentials, according to a forum post on the Evolution marketplace.
Evolution, which went offline for unknown reasons in March, was a website for illegal goods along the lines of the Silk Road drugs bazaar. A scan of archived posts showed a thriving marketplace for Starbucks cards.
Shortly before Evolution shut down, one vendor wrote that "we are in the process of sifting through thousands and thousands of possible logins for Starbucks with balance."
Since people often reuse login credentials on many different web services, hackers will try to see if the details unlock another service. That's especially dangerous for Starbucks accounts since customers can set their cards to auto top-up with funds from a payment card or PayPal. The cards can hold up to a $500 balance.
Once in control of an account, the scammers can then transfer the balance to another Starbucks card, which is sold at a discount. An advertisement on a well-known bitcoin forum from last September offered a $100 Starbucks gift card for $35 worth of the virtual currency.
There are a few ways Starbucks could strengthen security around its accounts. It could offer two-factor authentication, which requires entering a time-sensitive passcode along with login credentials. At one time, that security feature might have been overboard for a loyalty account at a coffee merchant, but perhaps that's not the case these days.
Starbucks could also stop balances from being sent from one card to another, although it would probably ultimately result in fewer sales for the company. Still, companies often have to make hard choices between security and convenience, and all of them set their own tolerance level for fraud.
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.