Starbucks' mobile app leaves customers' passwords open to attack, according to a research report.
The popular app, which allows Starbucks ( customers to purchase drinks and food directly from their smartphones, saves customers' usernames, passwords and other personal information in plain text. That means a hacker could pick up a left-behind phone, plug it into a laptop and easily recover a Starbucks customer's password without even knowing the smartphone's PIN code. )
Starbucks spokeswoman Linda Mills acknowledged the vulnerability and said the possibility of the vulnerability being exploited is "very far fetched."
Mills and Jim Olson, another Starbucks spokesman, said no customers have claimed to have been hacked as a result.
"Obviously the security of our customers' information is of the utmost importance to Starbucks and we're monitoring for any risks and vulnerabilities," Olson said.
After CNNMoney and other outlets reported the issue, the company announced in a letter to customers it was "working to accelerate the deployment of an update for the app that will add extra layers of protection."
Curt Garner, Starbucks chief information officer, wrote in the online letter that "we expect this update to be ready soon." The app is available for Apple ( and )Google ( Android devices. )
On Wednesday, Olson stressed the company was "always evolving and enhancing our systems to ensure that our systems are secure."
Exploiting the issue wouldn't be easy. To access a customer's password, a hacker needs to be in possession of the phone, have a computer handy, and know how to access the file.
If a hacker does obtain the password, it would allow him or her access to money stored in the customer's Starbucks account. Customers could be at greater risk if they use the same password for other sites.
The issue was first exposed by security researcher Daniel Wood, a Starbucks customer who said he tested the app to see if his information was secure.
"The application is storing the users' information -- everything from your full name to your address to your username and password as well as your email address," he told CNNMoney.
Wood disclosed the issue in an online posting after approaching the company in December without a response from technical teams. After the issue became public, he was contacted by Starbucks. On Tuesday, his post was reported by the technology site ComputerWorld.