Starbucks customers have been targeted and money is being syphoned from the credit or debit card they have tied to their Starbucks accounts… Why would you even do this? No idea. But when you go for convenience, you usually sacrifice your security.
In order to perform this attack, the only thing the badguys need is the victims’ username and password for their Starbucks account, and they can get it either via phishing, or by testing leaked compromised username/password combinations for other online services, because let’s face it, most people have the same username and password for every online service they subscribe to.
Once the badguys have control of the account, they can transfer the money currently loaded on the gift card on the victims’ Starbucks app to another gift card they have control of, and which they can resell later and they can also buy gift cards and send them to accounts they control.
If the customervictim has enabled the auto-load feature on the account, additional amounts are automatically loaded into the Starbucks card and can be stolen in the same way. In one instance, a victim witnessed the scammers triple the auto reload amount she set and make off with that money as well.
If the victim is not aware of the attack, and ignores all the warning signs, these steps can be repeated until all the money on the associated payment card is drained.
Read more about it here.