Starbucks (NASDAQ: SBUX) is the most recent company to confess to a security scare, and has released an updated version of its iOS app in response to reported security issues that could disclose sensitive customer information.
The feature in question is a log file generated by crash reporting analytics firm Crashlytics that stores personal information in plain text. The log file can be retrieved from a user's handset even if the phone is locked with a PIN and contains unencrypted versions of the customer's username, email address, and password. Starbucks executives acknowledged the vulnerability, said that no customers had claimed to have been hacked as a result and that they have made changes to mitigate the danger.
"We take these types of concerns seriously and have added several safeguards to protect the information you share with us," Starbucks said in a statement. "To protect the integrity of these added measures, we are unable to share technical details but can assure you that they sufficiently address the concerns raised in the research report."
Starbucks updated the app with a new credential storage method that will no longer expose usernames and passwords as plain text. Risk to users, however, was minimal, according to The Street's Rocco Pendola. Hackers would have to obtain a user's handset, navigate the password screen -- assuming the device was password protected -- and then hack the Starbucks app. But recent security breaches at Target (NYSE: TGT) and Neiman Marcus have spurred retailers to take more proactive measures.
Neiman Marcus Confirms Credit Card Data Breach
Target Data Breach Gets Worse, 110 Million Shoppers At Risk
Target Now Says 70 Million People Affected by Breach
Target Admits Encrypted PIN Data Was Stolen In Data Breach
Report: Target Shoppers Spent 20 Minutes on Hold in Breach Aftermath