Starbucks’ mobile app leaves customers’ passwords open to attack, according to a research report.
The popular app, which allows Starbucks customers to purchase drinks and food directly from their smartphones, saves customers’ usernames, passwords and other personal information in plain text.
That means a hacker could pick up a left-behind phone, plug it into a laptop and easily recover a Starbucks customer’s password without even knowing the smartphone’s PIN code.
Starbucks spokesman Jim Olson acknowledged the vulnerability, but he said no customers have claimed to have been hacked as a result.
“Obviously the security of our customers’ information is of the utmost importance to Starbucks and we’re monitoring for any risks and vulnerabilities,” he said.
Exploiting the issue wouldn’t be easy. To access a customer’s password, a hacker needs to be in possession of the phone, have a computer handy, and know how to access the file.
If a hacker does obtain the password, it would allow him or her access to money stored in the customer’s Starbucks account. Customers could be at greater risk if they use the same password for other sites.