Our content is free because we may earn a commission when you click or make a purchase from links on our site. Learn more about how we make money.

Advertiser Disclosure

MONEY has partnered with CardRatings.com and ConsumersAdvocate.org, among other companies, for our coverage of credit card products. MONEY, CardRatings.com, and ConsumersAdvocate.org may receive a commission from card issuers.

Opinions expressed here are the author's alone, not those of any bank, credit card issuer, airline or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.

Starbucks app on iPhone
Kevin Schafer—Getty Images

Credit card hackers are targeting Starbucks gift card and mobile payment users around the country — and stealing from consumers’ credit cards — with a new scam so ingenious they don’t even need to know the account number of the card they are hacking.

Criminals are using Starbucks accounts to access consumers’ linked credit cards. Taking advantage of the Starbucks auto-reload function, they can steal hundreds of dollars in a matter of minutes. Because the crime is so simple, can escalate quickly, and the consumer protections controlling the transaction are unclear, Starbucks customers should consider disabling auto-reload on the Starbucks mobile payments and gift cards.

The fraud is a big deal because Starbucks mobile payments are a big deal. Last year, Starbucks said it processed $2 billion in mobile payment transactions, and about 1 in 6 transactions at Starbucks are conducted with the Starbucks app.

Maria Nistri, 48, was a victim last week. Criminals stole the Orlando women’s $34.77 in value she had loaded onto her Starbucks app, then another $25 after it was auto-loaded into her card because her balance hit 0. Then, the criminals upped the ante, changing her auto reload amount to $75, and stealing that amount, too. All within seven minutes.

“I don’t know why Starbucks would recommend people do auto-reload when this crime is so easy,” she said.

The trouble started at 7:11 a.m. on Wednesday when she received an automated email saying her username and password had been changed, and if she hadn’t authorized the change, she should call customer service. She tried, but the number she called notified her an operator couldn’t answer until 8 a.m.

“Whoever did this knew the right time to do it,” she said.

More From Credit.com:

You May Like

EDIT POST