Executive Summary

Starbucks has disclosed a data breach impacting 889 employees after attackers gained unauthorized access to internal HR accounts through credential-harvesting phishing attacks. The breach, detected on February 6, 2026, involved threat actors impersonating the Starbucks Partner Central portal to obtain employee login credentials. The attackers maintained access to affected accounts between January 19 and February 11, 2026, exposing sensitive personal and financial information, including names, Social Security numbers, dates of birth, and bank account and routing numbers. Starbucks responded by notifying law enforcement, engaging external cybersecurity experts, and offering 24 months of identity protection and credit monitoring to affected employees. No customer data was impacted. The incident highlights the ongoing risk of phishing attacks targeting HR systems in large retail organizations and underscores the importance of multi-factor authentication and employee security awareness. All information in this summary is directly supported by the cited primary sources below.

Technical Information

The Starbucks data breach was executed through a credential-harvesting phishing campaign targeting the Starbucks Partner Central employee portal. Attackers created fraudulent websites that closely mimicked the legitimate Partner Central login page. Employees were lured to these sites, likely via phishing emails or messages, and entered their credentials, which were then captured by the attackers. Using these valid credentials, the threat actors accessed the real Partner Central accounts, which are used to manage employment details, payroll, benefits, and other HR-related information.

The attack did not involve malware deployment or exploitation of technical vulnerabilities within the Partner Central platform itself. Instead, it relied entirely on social engineering and the absence of phishing-resistant multi-factor authentication (MFA). The attackers’ use of valid credentials allowed them to bypass standard security controls and maintain undetected access for several weeks.

The breach exposed highly sensitive employee data, including names, Social Security numbers, dates of birth, and financial account and routing numbers. This information is valuable for identity theft and financial fraud, increasing the risk profile for affected employees.

Technical mapping to the MITRE ATT&CK framework identifies the following techniques:

• T1566.001 (Phishing: Spearphishing Link): Employees received phishing messages directing them to fake login pages.

• T1192 (Spearphishing Link): The use of websites impersonating the Partner Central portal to harvest credentials.

• T1078 (Valid Accounts): Attackers used stolen credentials to access legitimate HR accounts.

• T1586 (Compromise Accounts): Compromised accounts were leveraged for further access and data exfiltration.

No evidence of malware, command-and-control infrastructure, or technical exploitation was found in any primary source. The attack’s success was due to effective social engineering and credential theft.

The tactics, techniques, and procedures (TTPs) observed in this incident closely align with those of the Payroll Pirates (also known as Storm-2657), a financially motivated threat group known for targeting HR and payroll portals in the retail, education, and service sectors. This group typically uses adversary-in-the-middle phishing campaigns to harvest credentials and MFA codes, then accesses HR systems to exfiltrate sensitive data or modify payment information. However, there is no direct technical evidence linking this specific breach to Payroll Pirates; attribution is based on pattern analysis and sector targeting, resulting in medium confidence.

The breach underscores the vulnerability of HR and employee portals to phishing and credential theft, particularly in large organizations with distributed workforces. The incident also highlights the need for robust security controls, including phishing-resistant MFA, employee security awareness training, and continuous monitoring for suspicious account activity.

Affected Versions & Timeline

The breach specifically impacted the Starbucks Partner Central employee portal. No software vulnerability or version-specific flaw was exploited; the attack vector was credential theft via phishing.

The timeline of the incident is as follows: Attackers gained access to Partner Central accounts between January 19 and February 11, 2026. Starbucks detected suspicious activity on February 6, 2026, and immediately launched an investigation with external cybersecurity experts. Law enforcement was notified, and containment measures were implemented. Public disclosure and employee notifications occurred on March 13 and 14, 2026.

A total of 889 employee accounts were compromised. The breach did not affect customer data or other Starbucks systems.

Threat Activity

The threat activity in this incident centered on credential-harvesting phishing attacks. Attackers created websites impersonating the Starbucks Partner Central portal and distributed phishing messages to employees. When employees entered their credentials on these fraudulent sites, the attackers captured the information and used it to access the legitimate HR portal.

The attackers maintained access to compromised accounts for approximately three weeks, from January 19 to February 11, 2026. During this period, they had the ability to view and potentially exfiltrate sensitive personal and financial information stored in the affected accounts.

No evidence was found of lateral movement, privilege escalation, or the use of malware within the Starbucks environment. The attack was limited to the use of stolen credentials to access employee accounts.

The tactics used in this breach are consistent with those observed in previous campaigns by the Payroll Pirates threat group, which targets HR and payroll systems in the retail and service sectors. However, no direct technical indicators (such as phishing domain overlap or phishing kit reuse) were identified in the available evidence, so attribution remains at medium confidence.

The breach highlights the ongoing threat posed by credential-harvesting phishing campaigns, particularly those targeting HR and employee portals that store large volumes of sensitive data.

Mitigation & Workarounds

The following mitigation strategies are prioritized by severity:

Critical: Implement phishing-resistant multi-factor authentication (MFA) for all access to HR and employee portals such as Starbucks Partner Central. This significantly reduces the risk of account compromise via credential theft.

High: Conduct regular employee security awareness training focused on identifying and reporting phishing attempts, especially those targeting HR and payroll systems. Employees should be trained to verify the authenticity of login pages and to avoid clicking on suspicious links in emails or messages.

High: Monitor HR and employee portals for unusual login activity, such as logins from unfamiliar locations or devices, and implement automated alerts for suspicious behavior.

Medium: Review and strengthen access controls for sensitive employee data, ensuring that only authorized personnel have access to personal and financial information.

Medium: Regularly audit and update incident response plans to ensure rapid detection, containment, and notification in the event of a breach.

Low: Provide ongoing support and resources to affected employees, including identity protection and credit monitoring services, as Starbucks has done in this incident.

Starbucks has already taken several of these steps, including notifying law enforcement, engaging external cybersecurity experts, strengthening security controls, and offering 24 months of identity protection and credit monitoring to affected employees.

References

https://www.bleepingcomputer.com/news/security/starbucks-discloses-data-breach-affecting-hundreds-of-employees/

https://securityaffairs.com/189438/security/starbucks-data-breach-impacts-889-employees.html

https://www.esecurityplanet.com/threats/starbucks-hr-portal-breach-exposes-employee-information/

https://thehackernews.com/2025/10/microsoft-warns-of-payroll-pirates.html

https://rhisac.org/reports/uncovering-critical-cyber-threats-to-retail-and-hospitality/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and partners. Our platform enables continuous monitoring of supply chain and third-party exposures, supports incident response workflows, and provides actionable insights for improving security posture. For questions about this report or to discuss how Rescana can support your organization’s risk management needs, please contact us at ops@rescana.com.