(KPIX 5) – It’s a convenience customers appreciate and businesses love. So-called “auto-reloading” accounts that ensure you have the money to buy what you want, but hackers are finding a way in.
One in six Starbucks customers now use mobile pay, many with auto-reload linked to their bank account, which automatically replenishes their Starbucks funds, when they get low.READ MORE: Family Clings To Hope That Missing San Francisco Toddler Arianna Fitts Is Still Alive
But some are getting a wake-up call.
“There are people who are trying 10, 20, 30,000 logins at Starbucks.com,” computer security expert Bob Sullivan told KPIX 5 ConsumerWatch via Skype.
Hackers have managed to drain some customer’s account balances, and worse, the bank accounts they have linked via auto-reload.
“They suck the money off to a card they control, and then they resell those cards,” Sullivan said.
Sullivan said it happened to Maria Nistri, who was powerless to stop the cycle of drain, and reload. Hackers emptied her Starbucks account, waited for it to reload, then emptied it again and again.READ MORE: Ballpark Beating Victim Bryan Stow Tosses Out Giants First Pitch
Though individual customer accounts were hacked, Starbucks stresses the Starbucks mobile app itself has not been hacked. Starbucks said they “constantly monitor for fraudulent activity,” and “customers are not responsible” for charges or transfers they didn’t make.
But Sullivan says Starbucks customers aren’t the only ones who should be concerned.
“Any kind of third-party money system that exists is vulnerable to this,” he said.
He said third parties like mass transit and others that link to customer accounts don’t generally have the same protections in place as a bank.
Security experts said to treat any linked account like you would your bank account, use strong passwords and avoid auto reload if you can.MORE NEWS: Fire Erupts At Half Moon Bay's Historic San Benito House Inn; Two Rescued
Sullivan said it’s not entirely clear how hackers are doing this. They’re likely using information stolen from other data breaches. Hackers may also be doing a so called “brute force” attack, entering thousands of passwords until they get the right one.