Starbucks Gift Cards Could Be Hacked for 'Unlimited Coffee,' Says Researcher

People will steal just about anything. Recently, Motherboard showed that fraudulent trips were being made on victims' Uber accounts, and there are also methods for getting a free lunch at Subway. Now, a researcher has disclosed how he managed to scam Starbucks for free store credit, and it appears cybercriminals have been selling something similar for months.

Egor Homakov, who works as a hacker for security company Sakurity, yesterday published a method he had discovered for generating an unlimited amount of credit on Starbucks gift cards. Naturally, he says this could result in a "lifetime supply of coffee."

Usually, the transfer of funds from one Starbucks giftcard to another is very straightforward: a user logs into a personal account on starbucks.com, and can then buy gift cards, check their balance, or send funds between different cards.

But Homakov found that by trying to transfer $5 simultaneously from two different browsers, Starbucks actually generated additional credit.

After five failed efforts, "the sixth request created two $5 transfers from wallet1 with [a] $5 balance. Now we have 2 cards with $15 and $5 ($20 in total)," Homakov wrote. "Now we need a proof of concept, otherwise Starbucks guys can claim there's no bug or it might be some cache issue."

To prove that the method worked, Homakov went to a Starbucks shop and successfully used the cards to purchase bottles of water, a sandwich and some coffee.

Homakov then allegedly informed Starbucks of the problem, and says they fixed it after 10 days, but not before the Starbucks employee he spoke to mentioned "fraud" and "malicious actions," according to Homakov.

"I could create a simple bunch of fake gift cards bought around the world, silently generate credits on them and sell Starbucks credits online for Bitcoin with, say, 50 percent discount," Homakov wrote. "I don't know for sure, it's just a wild guess that this bug could be pretty profitable."

According to hacker forums, criminals have already been offering the transfer of Starbucks credit for months.

"I transfer money, from a Starbucks gift card onto your gift card," one advert read on a hacking forum on the clear web. One hacker was offering $100 of credit for $20, another was advertising the same amount for $30, while one other was carrying out the service for a 10 percent fee.

The hackers are paid via either PayPal or Bitcoin, according to a forum advert.

Earlier this week, Brian Krebs reported that Starbucks accounts were being used fraudulently. This was likely due to those accounts being broken into. Starbucks did not immediately respond to a request for comment.

These gift card adverts were written between March and late April, with happy customers reporting successful transactions until at least then. It is unclear whether the exploit being used by these criminals is the same as the one that Homakov discovered. Without more details from Starbucks, it is also unknown if the fix reported by Homakov put an end to this gift card service.

In his post, Homakov said his method could be used to steal "millions" of dollars. Perhaps that's a bit of an exaggeration, but people certainly are making a profit at Starbucks' expense.

Update: "Like all major retailers, Starbucks has safeguards in place to constantly monitor for fraudulent activity," a Starbucks spokesperson told Motherboard. "After this individual reported he was able to commit fraudulent activity against Starbucks, we put safeguards in place to prevent replication.