Security disaster: Starbucks app stores customers' passwords in plain text

Monday, January 20, 2014 by: J. D. Heyes
Tags: Starbucks, customer passwords, security failure

eTrust Pro Certified

Most Viewed Articles
Popular on Facebook
BACK INTO THE CLOSET: Why U.S. reporters are not allowed to write about rainbow events in nations where being gay is still condemned
Depopulation test run? 75% of children who received vaccines in Mexican town now dead or hospitalized
A family destroyed: Six-month-old dies after clinic injects baby with 13 vaccines at once without mother's informed consent
INVESTIGATION: Three days before Dr. Bradstreet was found dead in a river, U.S. govt. agents raided his research facility to seize a breakthrough cancer treatment called GcMAF
BAM! Chipotle goes 100% non-GMO; flatly rejecting the biotech industry and its toxic food ingredients
BOMBSHELL: China and America already at war: Tianjin explosion carried out by Pentagon space weapon in retaliation for Yuan currency devaluation... Military helicopters now patrolling Beijing
ECONOMIC SLAVERY FOR ALL: While we were distracted with the Confederate flag flap, Congress quietly forfeited our entire economic future via fast-track trade authority
March Against Monsanto explodes globally... World citizens stage massive protests across 38 countries, 428 cities... mainstream media pretends it never happened
GMO crops totally banned in Russia... powerful nation blocks Monsanto's agricultural imperialism and mass poisoning of the population
SCOTUS same-sex marriage decision may have just legalized the concealed carry of loaded firearms across all 50 states, nullifying gun laws everywhere
Nearly every mass shooting in the last 20 years shares one surprising thing? and it's not guns
Vicious attack on Dr. Oz actually waged by biotech mafia; plot to destroy Oz launched after episode on glyphosate toxicity went viral
Holistic cancer treatment pioneer Dr. Nicholas Gonzalez dies suddenly; patients mourn the loss of a compassionate, innovative doctor who helped thousands heal from cancer
Pepsi drops aspartame from diet soda as consumers reject toxic sweetener
Bride of Frankenfood: Hillary Clinton pushes GMO agenda... hires Monsanto lobbyist... takes huge dollars from Monsanto
STATINS RED ALERT: Widely prescribed drugs act as cellular poisons that accelerate aging... deactivate DNA repair... promote diabetes, muscle fatigue and memory loss
Unbelievable scam of cancer industry blown wide open: $100 billion a year spent on toxic chemotherapy for many FAKE diagnoses... National Cancer Institute's shocking admission affects millions of patients
Mind control through emotional domination: How we're all being manipulated by the "crisis of the NOW"
(NaturalNews) In the technology age, it seems that nary a week or two passes without another sad story relating that Americans' personal information and privacy has been compromised.

Now, according to Washington, D.C.-area radio station WTOP, "The most-used mobile payment app in the United States stored its users personal information in a way that could have gotten a tech-savvy thief a lot of free coffee -- on you."

That would be Starbucks coffee.

Indeed, as the station reported, the coffee giant's executives have confirmed that the store chain's mobile application has been storing user names as well as email addresses and passwords, and all in crystal-clear text, not encrypted text.

The tech pub Computerworld adds:

The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.

'I would have expected more out of Starbucks'

Tech experts know that when thieves can access a phone owner's information, they can then charge items to the victim's account, up to the amount of stored value on the victim's card. But what's worse, if the victim has chosen an "auto-replenish" option, even more money could be accessed from the victim's bank account.

"What you've described is fair, at a high level," Starbucks CIO Curt Garner said. "From a design perspective, this could have potentially happened."

Computerworld said Starbucks has taken the same path as scores of other firms:

The issue appears to be an example of convenience trumping security. One of the reasons for the Starbucks mobile app's popularity is its extreme ease of use. Customers need only enter their password once when activating the payment portion of the app and then use the app to make unlimited purchases without having to key in the password or username again. (Only when adding money to the app is the password required.)

Naturally, Starbucks could have made the decision to not allow passwords to be stored on phones, but then users would be required to type in their username and password each time they chose to use the app to buy something.

"A company like Starbucks has to make the choice between usability to drive adoption and the potential for misuse or fraud," Charlie Wiggs, general manager and senior vice president for U.S. markets at mobile vendor Mozido, told Computerworld. "Starbucks has opted to make it very convenient. They just have to make sure that their comfort doesn't overexpose their consumers and their brand."

Another security analyst, Avivah Litan, added that Starbuck's decision surprised him.

"I would have expected more out of Starbucks. At least they should have informed consumers," he said.

Two executives, quoted in a phone interview with Computerworld, said they have known the credentials were being stored in plain text and were aware that the coffee chain could have made a different decision regarding passwords and encryption.

"We were aware," said Chief Digital Officer Adam Brotman. "This was not something that was news to us."

Choosing convenience over security

Customers who use the free Starbucks app were only required to enter their password once, while activating payment options. After that, they no longer had to enter a username or password.

Starbucks is only the latest chain to put customers' personal information at risk. In December, big box retailer Target announced that tens of millions of customer purchase records had been hacked.

As reported by CNNMoney, the breach drew the ire of U.S. lawmakers:

Two U.S. senators jumped in with demands for investigations.

Chuck Schumer called on the Consumer Financial Protection Bureau to report on whether retailers should be required to encrypt customer card data. Richard Blumenthal called for a Federal Trade Commission probe, saying "it appears that Target may have failed to employ reasonable and appropriate security measures to protect personal information."

No breach of Starbucks customer data has been reported, but what is alarming is that, in the age of the hacker - when even encrypted data is at risk - it is unbelievable that a major U.S. retailer would choose convenience over security for its customers.


Follow real-time breaking news headlines on
Starbucks at
Join over four million monthly readers. Your privacy is protected. Unsubscribe at any time.
comments powered by Disqus
Take Action: Support by linking back to this article from your website

Permalink to this article:

Embed article link: (copy HTML code below):

Reprinting this article:
Non-commercial use OK, cite with clickable link.

Follow Natural News on Facebook, Twitter, Google Plus, and Pinterest

Colloidal Silver

Advertise with NaturalNews...

Support NaturalNews Sponsors:

Advertise with NaturalNews...


Sign up for the FREE Natural News Email Newsletter

Receive breaking news on GMOs, vaccines, fluoride, radiation protection, natural cures, food safety alerts and interviews with the world's top experts on natural health and more.

Join over 7 million monthly readers of, the internet's No. 1 natural health news site. (Source:

Your email address *

Please enter the code you see above*

No Thanks

Already have it and love it!

Natural News supports and helps fund these organizations:

* Required. Once you click submit, we will send you an email asking you to confirm your free registration. Your privacy is assured and your information is kept confidential. You may unsubscribe at anytime.