Hacker sells stolen Starbucks data of 219,000 Singapore customers

The Singapore division of Starbucks, the popular American coffeehouse chain, has admitted that it suffered a data breach incident impacting over 219,000 of its customers.

The first clue that they were breached came on September 10, when a threat actor offered to sell a database containing sensitive details of 219,675 Starbucks customers on a popular hacking forum.

The hacking forum's owner, "pompompurin," joined the discussion to back the validity of the stolen data, saying that the provided samples contain substantial proof of authenticity.

Today, Starbucks Singapore sent out letters to notify its customers of a data breach, explaining that hackers may have stolen the following details:

• Name
• Gender
• Date of birth
• Mobile number
• Email address
• Residential address

This breach concerns only customers who have used the Starbucks mobile app to make orders or used the chain's online store to purchase goods from one of the 125 shops the chain operates in Singapore.

This point was further clarified by a Starbucks spokesperson to local media outlets, where the data breach was confirmed again.

Additionally, the company said that no financial details, such as credit card information, have been compromised, as Starbucks does not store the data.

Even though account passwords, Rewards membership, or credits aren't considered impacted, Starbucks Singapore urges customers to reset their passwords and remain vigilant against suspicious communications.

The data seller on the hacking forums claims to have already sold one copy of the stolen data for $3,500 and is willing to offer at least four more copies to interested buyers.

The reason for this limitation is to artificially keep the value of the offered data high, as selling it to many threat actors would diminish the value as multiple attacks are launched simultaneously.

This approach raises the risk of Starbucks Singapore customers becoming targets of phishing attacks, social engineering, and scamming.

It is also worth noting that the hacker initially offered access to the compromised admin panel for $25,000, enabling intruders to fabricate promo codes, change membership tiers, and more.

However, access to the admin panel was lost at some point, so that offer has been retracted, and the sale is now limited to the database contents.

Update 9/17/2022: A Starbucks spokesperson has sent BleepingComputer the following comment:

We are aware of the unauthorized activity impacting a select number of customer accounts in Singapore and are working with our licensed operator in the market to protect customer information.

Like all major retailers, Starbucks has safeguards in place to constantly monitor for fraudulent activity, which in this case, enabled early detection of the unauthorized activity.

Customers are encouraged to use different usernames and passwords for different sites, especially those that keep financial information, to protect their data security.