LITTLETON, Colo. — When she needs a caffeine boost, Littleton resident Lisa Schwartz uses her Starbucks app to order and pay for her go-to drink.
"Strangely enough, I don't drink coffee," Schwartz said with a laugh "I usually get a chai latte."
She uses the Starbucks app for rewards and auto-reloads for convenience.
"It will automatically reload to $25, and that's just automatically going on your credit card," Schwartz said. "But I saw three or four [re-loads] in one day, and that was definitely not normal."
Last week, Schwartz reviewed her American Express credit card statements and counted dozens of fraudulent Starbucks charges since January, including in-person purchases at locations in other states.
"So far, it's well over $2,000," she said. "It's kind of a sick feeling. I felt pretty stupid for not taking better care of watching out for my bills."
In an email, Starbucks informed Schwartz that this was a credit card issue, but an American Express representative told her Starbucks was to blame. A Starbucks spokesperson confirmed its app was not hacked.
Dan Pittman, a cybersecurity coordinator in the computer science department at Metropolitan State University of Denver, said reports like this are common and likely the result of password breaches.
"So Starbucks itself wasn't breached, but the user's credentials were breached and it was reused in the Starbucks app," said Pittman. "That gives them the mechanism to then log into your bank, log into your Starbucks app, anywhere you use the same username and password. That becomes vulnerable."
Pittman said using a credit card could help protect consumers from fraudulent charges through apps.
"Majority of the time, [credit cards] are not going to hold you liable for those charges, as long as you report it to the credit card company and you say what's happened. They'll open a dispute, and they'll help you out with it," said Pittman.
Denver7 contacted American Express and Starbucks about Schwartz's fraudulent charges. Spokespeople for both companies said they are working to resolve the issue.
"The two emails I got today from American Express are definitely because of you guys reaching out to them," said Schwartz.
American Express is temporarily crediting her account for $550 while it investigates the fraud.
"That's amazing, and that's why I called you guys. I don't want other people to have this happen to them," said Schwartz.
To protect yourself from fraudulent charges, follow these steps:
- Don't reuse passwords. Get a password manager so you can have different passwords for every app.
- Turn on two-factor authentication to have one more level of protection.
- Keep a close eye on your credit card and bank statements so you know immediately if anything has been compromised.