Starbucks caught storing mobile passwords in the clear

Are you kidding me, Starbucks?

The Starbucks mobile app, the most used mobile-payment app in the U.S., has been storing usernames, email addresses and passwords in clear text, Starbucks executives confirmed late on Tuesday (Jan. 14). The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.

Apparently this is a purposeful choice for them, a choice between security and convenience.

“A company like Starbucks has to make the choice between usability to drive adoption and the potential for misuse or fraud,” said Charlie Wiggs, general manager and senior vice president for U.S. markets at mobile vendor Mozido. “Starbucks has opted to make it very convenient. They just have to make sure that their comfort doesn’t overexpose their consumers and their brand.”

“Yes, it does surprise me,” said Gartner security analyst Avivah Litan. “I would have expected more out of Starbucks. At least they should have informed consumers.”

And apparently Starbucks could have done that. Two executives — Starbucks CIO Curt Garner and Starbucks Chief Digital Officer Adam Brotman — said in a telephone interview that they have known for an unspecified period of time that the credentials were being stored in clear text. “We were aware,” Brotman said. “That was not something that was news to us.”

So how does Starbucks respond?

Starbucks is downplaying the potential for customers to be victimized and claims that it has made (vague and unspecified) changes that alleviate the problem. Brotman said the issue should no longer be a concern because “we have security measures in place now related to that” and “we have adequate security measures in place now.” He declined to say what those security measures were, but said that customers’ “usernames and passwords are safe,” because Starbucks has added “extra layers of security.”


  • def4

    Meh. I really don’t care about the security of login credentials for many web accounts. Who has anything of value in a Starbucks account anyway?

    • mikey

      Credit cards. Their app offers recharge to account via a stored credit card. This is probably most often done in a Starbucks on their free, public wifi.

      • Colin Mattson

        Yup. While you can’t get the card information back out, you could effectively launder money via Starbucks cards.

        Or, for the sneakier thief, you could add your own card to the victim’s account, transfer all of the victim’s balances onto it, and then remove it. Unless it’s changed recently, none of those actions generate a receipt—only reloads and purchases do.

    • Scott Falkner

      Their password.

  • Moeskido

    Good to know. I try to avoid the chain these days, assuming there’s a relatively independent coffee shop where I’m likely to be. The only thing I use Starbucks for is a bit of wi-fi while standing outside.

    • Mother Hydra

      and the 3DS street pass relay system. But yeah other than those things I’ll always elect to go for a real cup o’ joe.

  • Mother Hydra

    Considering they are partnered with square for transaction processing they can’t really claim ignorance here. We know square is top notch with their apps. Starbucks is also beholden to PCI-DSS so, again, this is such a bad case of dropping the ball I just can’t see how they could possibly be so blithe in their response. My details aren’t safe you cretins, and Brotman- your job shouldn’t be either. Extra layer of security because we say so. Anyone else smell something because I think Brotman just stepped in it.

  • David

    Starbucks could have chosen not to store the password on the phone, but users would then be forced to key in their username and password every time they wanted to use the app to make a purchase.

    This presents two extremes when there is a clear third option, using keychain on iOS . The users would not have to key in their username and password every time they use the app, but it also would not be in plain text or by just connecting the phone to a PC. There is a well-established middle ground.

  • jackass executives.

  • CJ

    “Hi Starbucks. Have you met more former friend Target?”