The Singapore division of Starbucks, the popular American coffeehouse chain, has admitted that it suffered a data breach incident impacting over 219,000 of its customers.
The first clue that they were breached came on September 10, when a threat actor offered to sell a database containing sensitive details of 219,675 Starbucks customers on a popular hacking forum.
The hacking forum’s owner, “pompompurin,” joined the discussion to back the validity of the stolen data, saying that the provided samples contain substantial proof of authenticity.
Today, Starbucks Singapore sent out letters to notify its customers of a data breach, explaining that hackers may have stolen the following details:
- Date of birth
- Mobile number
- Email address
- Residential address
This breach concerns only customers who have used the Starbucks mobile app to make orders or used the chain’s online store to purchase goods from one of the 125 shops the chain operates in Singapore.
This point was further clarified by a Starbucks spokesperson to local media outlets, where the data breach was confirmed again. In addition, Starbucks does not store data, so it says that financial information such as credit card information was not leaked.
Account passwords, rewards memberships or funds are not believed to be affected, but Starbucks Singapore is urging customers to reset their passwords and be alert for suspicious communications.
A hacking forum data seller claims he has already sold one copy of the stolen data for $3,500 and is willing to offer at least four more copies to interested buyers.
The reason for this limitation is to keep the value of artificially provided data high. Selling data to many attackers reduces its value as multiple attacks can be launched simultaneously.
This approach increases the risk of Starbucks Singapore customers being targeted by phishing attacks, social engineering and fraud. It’s also worth noting that the hackers initially offered access to the compromised admin panel for $25,000, allowing the intruders to create promo codes and change membership levels.
However, due to the eventual loss of access to the admin panel, the offer was withdrawn and sales are now limited to database content.