Starbucks’ popular mobile app, which lets customers pay for coffee with their smartphones, was exposed for storing usernames, email addresses and even passwords in clear text, meaning they could be easily accessed by anyone physically holding your device. The company confirmed the news late in the day yesterday, admitting that it opted for convenience over security.
Users of the app could make in-store payments without typing in their passwords repeatedly, only entering the keyword once activating the mobile payments feature. After logging in once, users only had to enter a password again when adding more money to their account, but that ease of use may have come at a cost.
Plugging a stolen smartphone into a computer will reportedly reveal the user’s private information, including a history of where they’ve been and anything else the Starbucks app may have picked up. Even worse, a smartphone thief could gain access to the owner’s bank account if they chose the same username and password for both services—which is reportedly the case about 20 percent of the time.
It’s unclear how Starbucks will correct the issue, though for the moment your best bet may be to delete the app entirely and download it again later on. For now, the company has fessed up to the security flaw, but doesn’t appear to have any plans to shore up its app in the near future.