Main Highlights:
- Starbucks Singapore says customer data illegally accessed in data leak
- Hacker sells stolen Starbucks data of 219,000 Singapore customers
- 330000 S’pore Starbucks customers’ data leaked, info sold online for $3500
Starbucks, the iconic American coffeehouse brand, has acknowledged to a data breach that affected approximately 219,000 of its customers in Singapore.
The hackers are already selling the information on an internet platform that specialises in the sale of stolen datasets. The hackers claimed to have access to Starbucks Singapore’s “whole database,” which had more than 553,000 entries, in a September 10 post, and supplied a sample dump.
On September 10, a threat actor offered to sell a database containing personal information of 219,675 Starbucks customers on a prominent hacker forum, indicating that they had been compromised.
The proprietor of the hacker community, “pompompurin,” entered the conversation to support the legitimacy of the stolen material, claiming that the offered samples contain sufficient proof of authenticity.
On September 10, a hacker forum user known as Sedy offered the whole database for SGD $3,500 (about $2,500), allowing other cybercriminals and fraudsters to utilise the information.
In an email response, a spokesman stated that the firm was made aware of a data breach on Tuesday, September 13, that may affect consumers who had previously completed a purchase via the Starbucks in-app delivery or online shop services.
Starbucks Singapore handed out letters today informing consumers of a data breach, saying that hackers may have taken their personal information like:
- Name Gender
- Date of birth
- Mobile number
- Email address
- Residential address
This vulnerability only affects consumers who used the Starbucks mobile app to place orders or utilised the chain’s online store to buy items from one of the 125 Starbucks locations in Singapore.
Furthermore, the business stated that no financial information, such as credit card information, was exposed because Starbucks does not keep the data.
Even though account passwords, Rewards membership, or credits are not thought to be affected, Starbucks Singapore advises consumers to update their passwords and be wary of unexpected messages.
Starbucks Singapore emailed customers today to inform them of the data breach, which is alleged to have affected consumers who made accounts with the coffee company using its smartphone app or online shop.
Starbucks told consumers in an email that their credit card information had not been exposed since the company does not keep that information.
According to a Starbucks spokeswoman, the company “immediately took reasonable actions to secure consumer information” and is cooperating with authorities while the incident is probed.
Although Starbucks claims that no credentials have been compromised, consumers are nevertheless recommended to replace their passwords immediately. It makes sense for users to select unique, strong passwords that are difficult to crack, and to avoid reusing passwords elsewhere on the internet.
The corporation has also alerted clients about the possibility that thieves would use the stolen information to obtain further information:
“We would want to emphasise that Starbucks will not ask for personal or membership information, nor will we offer URL links in response to such inquiries. If you receive such warnings, please be watchful and do not give any information.”
On the hacker forums, the data seller claims to have sold one copy of the stolen data for $3,500 and is willing to sell at least four additional copies to prospective purchasers.
The rationale for this constraint is to artificially maintain the value of the given data, as selling it to many threat actors would reduce its value when several assaults are launched concurrently.
This method increases the likelihood of Starbucks Singapore consumers being victims of phishing, social engineering, and scamming.
It’s also worth mentioning that the hacker first offered $25,000 for access to the infiltrated admin panel, which allowed intruders to create discount codes, adjust membership tiers, and more.
However, because access to the admin panel was lost at some time, that offer was withdrawn, and the sale is now restricted to the database contents.
A Starbucks representative stated:
Customers impacted by the incident had been contacted through email. She stated that “appropriate procedures” were promptly taken to preserve client data, but did not elaborate. She said that, like all large retailers, the firm has precautions in place to “constantly check for fraudulent activity.”
“The security of our clients’ information is crucial, and we will continue to do everything we can to secure it,” she added.
We are aware of illegal behaviour affecting a small number of customer accounts in Singapore and are collaborating with our licenced operator in the market to secure client data.
Starbucks, like many big merchants, has protections in place to continually monitor for fraudulent behaviour, which enabled early discovery of the unlawful conduct in this situation.
Customers are recommended to use multiple usernames and passwords for different sites, particularly those that store financial information, to ensure the security of their data.
The Starbucks spokeswoman did not respond to numerous queries about how many consumers were harmed by the data breach or which systems were involved.