Starbucks Admits its Payment App Stored Unencrypted Usernames and Passwords

starbucks powermatApp security, and security in general have been a major focus for most developers and retailers, especially since the security hack of Neiman Marcus and Target during the holiday season. Now, the latest, is the negligent storage of usernames and passwords of Starbuck’s payment app, which was reported to be simply accessible by plugging a smartphone into a computer.

The security flaw was first reported by Computer World, on January 15, 2014, which prompted Starbucks to issue the following statement the next day: 

Out of an abundance of caution, we are also working to accelerate the deployment of an update for the app that will add extra layers of protection. We expect this update to be ready soon and will share our progress here.  While we are working on the update, we would like to emphasize that your information is protected and that you should continue to feel confident about the integrity of our iOS app.

While it’s unclear how long the company has been storing user data in such blatant unsafe fashion, the company admitted that it “was not something that was news to us.”

While the gaping security hole is only stored on the user’s phone – that we are aware of – a thief can access data and make charges towards free from a stolen phone, even without knowing the PIN login. Further, the data collected from users also store geolocation data, meaning anyone can see where you’ve been, an uncomfortable amount of personal data.