TL;DR: Attackers created fake websites that looked exactly like Starbucks' internal Partner Central portal. When 889 employees entered their login credentials, the attackers captured them and used those credentials to access the real portal. The breach ran from January 19 to February 11, 2026. The stolen data includes names, Social Security numbers, dates of birth, and bank account numbers with routing information. Starbucks detected the breach on February 6 but took over a month to notify affected workers. If you're a Starbucks employee (current or former), monitor your bank accounts and credit reports now.
How They Pulled It Off
This wasn't a sophisticated zero-day exploit. Attackers built clone websites that mimicked Starbucks' Partner Central, the internal portal employees use to manage payroll, benefits, and HR information [1].
Employees who landed on the fake sites entered their real credentials. The attackers captured those logins and used them to access the legitimate Partner Central portal. Classic credential harvesting [2].
The breach ran for about three weeks, from January 19 to February 11, 2026. Starbucks detected suspicious activity on February 6 but didn't notify affected employees until March 10, over a month later [1][3].
What They Got
The compromised accounts gave attackers access to employee records containing [1][2][3]:
- Full names
- Social Security numbers
- Dates of birth
- Bank account numbers and routing numbers (for direct deposit)
That's the identity theft starter pack. SSN plus DOB plus bank info equals someone can open accounts in your name, redirect your paychecks, or file fraudulent tax returns.
Starbucks' Response
After detecting the breach, Starbucks engaged external cybersecurity experts, notified law enforcement, and "strengthened access controls" for Partner Central [2][3].
Affected employees get 24 months of Experian IdentityWorks: credit monitoring, identity restoration, and up to $1 million in identity theft insurance coverage [1][2].
The company hasn't disclosed exactly how employees were directed to the fake portal sites, whether through phishing emails, malicious ads, or compromised search results. That gap matters because it's the difference between a targeted attack and a broader credential harvesting operation.
Portal Cloning Is a Growing Problem
This attack method is cheap and effective. Attackers don't need to breach Starbucks' actual systems. They just need to trick employees into typing their credentials into a convincing-looking fake.
We've seen the same playbook hit other companies:
- Microsoft 365 lookalikes target corporate employees daily
- Bank portal clones circulate through phishing campaigns
- HR portal fakes spike during tax season when employees expect to access W-2s
Multi-factor authentication helps, but it's not bulletproof. If the fake site proxies the MFA challenge in real-time, attackers can capture and replay those tokens too.
If You're a Starbucks Employee
The Bigger Picture
889 employees isn't a massive number. But each of those people now has their SSN, birth date, and bank details in criminal hands. That data doesn't expire. It'll show up on dark web marketplaces, get bundled into identity packages, and circulate for years.
The attack itself was trivially simple. Clone a login page. Send people there. Wait for them to type their passwords. It works because we've trained employees to expect portal logins without giving them reliable ways to verify they're on the real site.
Password managers help: they won't autofill credentials on a fake domain. Hardware security keys (FIDO2/WebAuthn) are even better. But until companies mandate these tools instead of just suggesting them, clone attacks will keep working.