Starbucks storing mobile passwords in clear text

UPDATE 8:20 a.m. 1/18/2014:

Starbucks has released an updated version of its mobile app for iOS, saying it contains “additional performance enhancements and safeguards.” The free update is available here.

EARLIER: 11:29 a.m. 1/16/2014:

WASHINGTON – The most-used mobile payment app in the United States stored its users’ personal information in a way that could have gotten a tech-savvy thief a lot of free coffee — on you.

Starbucks executives confirm the coffee chain’s mobile payment app has been storing usernames, email addresses and passwords in clear text — not encrypted, according to a Computerworld report.

That means anyone who can get access to a device with the Starbucks mobile-payment app could connect the phone to a PC and get the passwords, usernames and a list of geolocation tracking points — which could sacrifice the phone owner’s privacy and security.

Knowing the phone owner’s information would allow the thief to charge items to the victim’s account, until the stored value on the card is used up.

Even worse, if the phone owner activated an auto-replenish option, more money could be accessed from the victim’s bank account.

“What you’ve described is fair, at a high level,” Starbucks CIO Curt Garner said. “From a design perspective, this could have potentially happened.”

According to Computerworld, Starbucks chose convenience over security.

Two executives, quoted in a phone interview with Computerworld, said they have known the credentials were being stored in plain text.

“We were aware,” said Chief Digital Officer Adam Brotman. “This was not something that was news to us.”

Customers using the free Starbucks app only need to enter their password once, while activating the payment options. After that, users don’t have to enter their username or passwords again.

To exploit the easily-read information, a thief would have to steal or at least borrow the device upon which the Starbucks app is loaded.

Yet, a hacker could access the information even without knowing the phone’s PIN code, writes Schuman.

Brotman, with Starbucks, is downplaying the potential for customers to be victimized by easy visibility of passwords, saying “we have security measure in place now related to that,” and that “usernames and passwords are safe,” because Starbucks has added “extra layers of security.”

Reporter Evan Schuman writes Starbucks offered no specifics of the improved security.

Follow @WTOP and @WTOPtech on Twitter.

Federal News Network Logo
Log in to your WTOP account for notifications and alerts customized for you.

Sign up