Full Report
Starbucks has disclosed a data breach affecting hundreds of employees after threat actors gained access to their Starbucks Partner Central accounts. [...]
Analysis Summary
# Incident Report: Starbucks Partner Central Credential Harvesting
## Executive Summary
Starbucks Corporation experienced a targeted data breach where threat actors gained unauthorized access to 889 employee accounts via credential harvesting. The attackers utilized phishing websites impersonating the "Starbucks Partner Central" portal to steal login credentials, exposing sensitive personal and financial data. Starbucks has since contained the incident, notified law enforcement, and offered credit monitoring to affected individuals.
## Incident Details
- **Discovery Date:** February 6, 2026
- **Incident Date:** January 19, 2026 – February 11, 2026
- **Affected Organization:** Starbucks Corporation
- **Sector:** Food and Beverage / Retail
- **Geography:** Global (Headquartered in USA)
## Timeline of Events
### Initial Access
- **Date/Time:** January 19, 2026
- **Vector:** Phishing / Credential Harvesting
- **Details:** Attackers stood up fraudulent websites impersonating the internal "Partner Central" HR portal to trick employees into entering their credentials.
### Lateral Movement
- **Details:** No internal lateral movement across the broader corporate network was reported; attackers focused on direct access to the SaaS/Web-based HR portal using valid hijacked credentials.
### Data Exfiltration/Impact
- **Details:** Attackers accessed sensitive HR records for 889 partners. Stolen data included Names, Social Security Numbers (SSNs), Dates of Birth, and financial routing/account numbers.
### Detection & Response
- **Discovery:** February 6, 2026 (Detection of "potential unauthorized access").
- **Response Actions:** Starbucks initiated an investigation with third-party experts, notified law enforcement, and eventually revoked unauthorized access by February 11, 2026.
## Attack Methodology
- **Initial Access:** Phishing (Impersonation of corporate portals).
- **Persistence:** Use of valid stolen credentials to maintain access to HR profiles.
- **Privilege Escalation:** Not applicable (Abuse of existing user permissions).
- **Defense Evasion:** Use of look-alike domains (typosquatting) to bypass user scrutiny.
- **Credential Access:** Credential harvesting via fraudulent UI.
- **Discovery:** Accessing HR databases to view personal and financial information.
- **Impact:** Data breach and potential identity theft of nearly 900 employees.
## Impact Assessment
- **Data Breach:** Compromise of PII (Names, SSNs, DOB) and financial data for 889 employees.
- **Financial:** Costs associated with 2 years of Experian IdentityWorks credit monitoring for victims and legal/forensic fees.
- **Operational:** Minimal disruption to coffeehouse operations, but HR administrative overhead for remediation.
- **Reputational:** Public disclosure of another security incident following previous 2022 and 2024 events.
## Indicators of Compromise
- **Network indicators:** Websites impersonating Partner Central (URLs not specifically listed in the report but identified as the primary vector).
- **Behavioral indicators:** Failed logins followed by successful logins from atypical IP addresses or geolocations; multiple account access from shared infrastructure.
## Response Actions
- **Containment:** Removal of threat actor access from the Partner Central system (completed by Feb 11).
- **Eradication:** Decommissioning/flagging of fraudulent phishing domains.
- **Recovery:** Notification of affected parties on March 10, 2026; provision of identity theft protection.
## Lessons Learned
- **Phishing Vulnerability:** Even internal-facing HR portals require robust protection against credential harvesting.
- **Detection Gap:** There was an 18-day gap between initial access (Jan 19) and discovery (Feb 6), and a further 5-day delay in fully removing the attackers.
- **MFA Implementation:** The success of the phishing attack suggests that Multi-Factor Authentication (MFA) was either not present, or the attackers used MFA fatigue/adversary-in-the-middle (AiTM) techniques.
## Recommendations
- **Implement Phishing-Resistant MFA:** Deploy FIDO2-based hardware keys or certificate-based authentication for sensitive portals like Partner Central.
- **Domain Monitoring:** Use automated tools to identify and take down look-alike domains (e.g., starbucks-partner[.]com).
- **Security Awareness Training:** Conduct targeted training for employees on identifying fraudulent login pages.
- **Anomalous Login Alerts:** Configure SIEM/IAM alerts for logins from non-corporate devices or "impossible travel" scenarios regarding HR portal access.