Starbucks Korea says hackers stole 8 million won from 90 clients

A Starbucks store in central Seoul [YONHAP]

A data breach at Starbucks Korea exposed the data of at least 90 clients holding prepaid cards the company issued, draining 8 million won ($6,300) from the hijacked accounts — and the numbers could grow.

A user on Bobaedream, an online community, said approximately 11 unauthorized transactions amounting to 2.8 million won were made on Tuesday at both online and offline stores using their prepaid card.

"An amount of 300,000 won was charged online from my account linked to the Starbucks app, and approximately 2.5 million won was charged at various Starbucks locations using another person's app card that I don't use," the user said in a now-deleted post that was attached with an electronic receipt as proof. "The majority of the purchases consisted of tumblers."

Starbucks's mobile application allows users to make payments on their app cards without requiring additional authentication beyond their Starbucks IDs and passwords. Furthermore, the app facilitates automatic reloads using pre-registered credit cards.

Approximately 90 theft cases have been identified since the initial reporting on Tuesday, with the total amount stolen reaching around 8 million won.

The total amount of losses could grow, given the possibility of some consumers not being aware of their damages.

The company reimbursed the affected clients for the lost money following the incident.

Starbucks Korea said on its website that unknown entities attempted to gain unauthorized access to the app using a combination of randomly generated IDs and passwords obtained illicitly from external sources, utilizing overseas IP addresses.

The global coffee giant suspects that the attackers utilized a method known as "credential stuffing," which involves attempting various websites with large quantities of user information, including IDs and passwords, obtained from external sources. This technique targets users who use the same ID and password combination across multiple platforms.

Starbucks Korea said it blocked the attackers' overseas IP address to mitigate further risks and address the situation, reported the incident to the relevant authorities and implemented additional security measures.

The company disabled the screen capture function on its application on Android devices and is working to implement the same measure for Apple devices.

The total amount of prepaid balances of all Starbucks Korea customers reached 298.29 billion won as of 2022, according to the financial audit report of SCK Company, the operator of Starbucks Korea, the same year.

This is an increase of 40 billion won compared to the previous year.

The surge in prepaid value is attributed to the continuous increase in users since the introduction of Starbucks's Siren Order service, which allows customers to order drinks before arriving at the store.

Emart is the largest shareholder of SCK Company, owning 67.5 percent of its shares.

BY SEO JI-EUN [seo.jieun1@joongang.co.kr]