Starbucks' free in-store Wi-Fi has been caught secretly hijacking customers' laptops to mine cryptocurrency. On 2 December, Stensul CEO Noah Dinkin noticed there was a 10-second delay when connecting to the public Wi-Fi at a Starbucks store in Buenos Aires, Argentina.
After a little digging, he uncovered some suspicious code embedded in Starbucks' reward site for Argentina that happened to be Coinhive's code used to generate Monero coins using the CPU processing power of the site's visitors.
"Hi @Starbucks @StarbucksAr did you know that your in-store wifi provider in Buenos Aires forces a 10-second delay when you first connect to the wifi so it can mine bitcoin using a customer's laptop? Feels a little off-brand...," Dinkin tweeted along with a screenshot of the code.
The tweet immediately sparked criticism and concerns over security and privacy on social media.
Starbucks later responded to Dinkin's tweet confirming the issue.
"As soon as we were alerted of the situation in this specific store last week, we took swift action to ensure our internet provider resolved the issue and made the changes needed in order to ensure our customers could use Wi-Fi in our store safely," the official Starbucks account tweeted.
It is still unclear if Starbucks was knowingly running the cryptocurrency miner or if it was injected by hackers.
"Last week, we were alerted to the issue and we reached out to our internet service provider – the Wi-Fi is not run by Starbucks, it's not something we own or control," Starbucks spokesperson Reggie Borges told Motherboard. "We want to ensure that our customers are able to search the internet over Wi-Fi securely, so we will always work closely with our service provider when something like this comes up.
"We don't have any concern that this is widespread across any of our stores," Borges added.
IBTimes UK has reached out to Starbucks for comment and is awaiting a response.
This finding comes as numerous companies and websites have been found to be running similar code on their own sites to covertly generate digital currencies as an alternative to advertising, without the knowledge or consent of users.
Coinhive was also recently targeted by hackers that hijacked its DNS server, changed its settings and briefly redirect generated cryptocurrency over to a third-party server. The company did not reveal how much revenue was lost in the attack.
Coinhive said the threat actors likely used an old password for its Cloudflake account that may have been leaked in the 2014 Kickstarter data breach.