The Singaporean division of Starbucks, the popular American coffeehouse chain, has admitted to suffering a data breach incident affecting more than 219,000 of its customers.
The first hint that they were hacked came on September 10, when a malicious actor offered to sell a database containing sensitive information about 219,675 Starbucks customers on a popular hacking forum.
The owner of the hacking forum, “pompompurin”, joined the discussion to support the validity of the stolen data, saying that the samples provided contain substantial proof of authenticity.
Today, Starbucks Singapore sent letters notifying customers of a data breach, explaining that hackers may have stolen the following details:
- Last name
- Date of Birth
- Mobile number
- E-mail address
- Residential address
This violation only affects customers who used the Starbucks mobile app to place orders or used the chain’s online store to purchase products from any of the 125 stores the chain operates in Singapore.
This point was clarified by a Starbucks spokesperson for local mediawhere the data breach was again confirmed.
Additionally, the company said that no financial details, such as credit card information, were compromised because Starbucks does not store the data.
Although account passwords, membership rewards or credits are not considered affected, Starbucks Singapore urges customers to reset their passwords and remain vigilant against suspicious communications.
The hacking forums data seller claims to have already sold a copy of the stolen data for $3,500 and is ready to offer at least four more copies to interested buyers.
The reason for this limitation is to artificially keep the value of the offered data high, as selling it to many threat actors would decrease the value as multiple attacks are launched simultaneously.
This approach increases the risk of Starbucks Singapore customers becoming the target of phishing, social engineering and scam attacks.
It should also be noted that the hacker initially offered access to the compromised admin panel for $25,000, allowing the intruders to craft promo codes, change membership levels, and more.
However, access to the admin panel was lost at some point, so this offer was removed and the sale is now limited to database content.