Starbucks data breach compromised customers' personal and payment data

Global coffee chain Starbucks said hackers gained access to its Partner Central accounts in February to steal customers’ personal and financial information, including their bank account and routing numbers.

 

The company made the announcement in a data breach incident notice filed with the office of the Attorney General of Maine on Thursday, March 12. In its letter sent to affected customers, a copy of which was affixed to its filing, Starbucks said the unauthorised access was discovered on February 6.

 

Following the discovery, the coffee chain said it began an investigation with help from leading cyber security experts, informed law enforcement agencies, and took steps to contain the incident. 

 

The investigation revealed that cyber criminals set up fake websites that impersonated Starbucks’ Partner Central domain and collected login credentials, which they used to login to genuine partner central accounts and gain access to customers’ sensitive information.

 

"Based on our investigation, we understand that some of your personal information, including your name and social security number, date of birth, and financial account number and routing number, may have been accessed by an unauthorised third party," Starbucks said. "To help address concerns you may have about this incident, we are offering complimentary access to Experian IdentityWorks for twenty four months."

 

The company informed the office of the Maine Attorney General that the data security incident impacted approximately 889 individuals at the time of reporting, including five Maine residents.

 

Typosquatting and brand impersonation attacks, that involve hackers using lookalike domains to steal login credentials, deliver malware or obtain payment card data, are highly common and affect almost every major brand worldwide. According to Check Point, technology giants like Microsoft, Google, Facebook and Netflix were among the most impersonated brands in Q4 2025 with malicious actors using brand familiarity to achieve their objectives.

 

"Brand phishing remains effective because it exploits user trust in familiar platforms. Attackers increasingly rely on polished visuals, subtle domain manipulation, and multi-stage flows that closely mimic legitimate user experiences—often leaving victims unaware that their credentials have been stolen," the company said. "As identity becomes the primary attack surface, phishing remains a critical initial access vector for both consumer fraud and enterprise breaches."