Starbucks Employee Data Breach via Phishing of Partner Central Accounts
Starbucks disclosed a data breach affecting employee Partner Central accounts after attackers used phishing sites impersonating the company’s login portal to steal valid credentials and access internal HR-related records. The company said it became aware of the intrusion on or about February 6, 2026, and a subsequent investigation found unauthorized access to 889 employee accounts between January 19 and February 11. The compromised data included employees’ full names, Social Security numbers, dates of birth, and bank account and routing information, creating elevated risk of identity theft and financial fraud.
Starbucks said it engaged external cybersecurity experts, notified law enforcement, and implemented additional security measures around Partner Central access following the incident. Affected employees were advised to monitor financial accounts for suspicious activity, and the company is offering 24 months of Experian IdentityWorks identity protection and credit monitoring. Reporting that focuses on the same incident consistently attributes the breach to credential theft through fake Partner Central websites, while separate coverage of Loblaw concerns a different retail-sector intrusion and is not part of the Starbucks event.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Starbucks disclosed employee data breach and response measures
Starbucks publicly disclosed the breach, said it had notified law enforcement, strengthened security controls for Partner Central, and offered affected employees 24 months of Experian IdentityWorks identity theft protection and credit monitoring. Public reporting identified 889 impacted employee accounts.
Unauthorized access window in Starbucks breach ended
Starbucks determined that the period of unauthorized access to affected Partner Central accounts lasted until 2026-02-11. The breach ultimately affected 889 employee accounts and exposed data including names, Social Security numbers, dates of birth, and bank account information.
Starbucks discovered unauthorized access to employee accounts
Starbucks said it became aware of the incident on or about 2026-02-06 after attackers had gained access to Partner Central accounts using stolen credentials. The company launched an investigation and engaged external cybersecurity experts.
Phishing campaign began compromising Starbucks Partner Central accounts
Threat actors used phishing websites impersonating Starbucks' Partner Central portal in an adversary-in-the-middle credential theft campaign. Unauthorized access to employee accounts began on 2026-01-19.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Starbucks employee data compromised in partner central account breach | brief | SC Media
scworld.com
Open sourceStarbucks data breach impacts 889 employees
securityaffairs.com
Open sourceStarbucks Data Breach - Hundreds of Users' Personal Data Exposed
cybersecuritynews.com
Open sourceStarbucks discloses data breach affecting hundreds of employees
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShadowByt3s Claims Starbucks S3 Breach Exposed Source Code and Beverage Firmware
Threat actor **ShadowByt3s**, using the alias **BlackVortex1**, claimed to have breached Starbucks by accessing a misconfigured Amazon S3 bucket allegedly named `sbux-assets` and exfiltrating about **10 GB** of proprietary data. The actor said the haul includes source code, internal web-based management and inventory tools, developer backup files, authentication logic, internal service URLs, and firmware tied to store equipment including **Mastrena II espresso machines**, **FreshBlends smoothie stations**, beverage dispensers, and **Siren System** and **Blue Sparq** controllers. The stolen material was advertised on dark web forums with claims that proof had been shared through Mega.nz and Telegram, and the actor set an **April 5** extortion deadline, threatening to publish the dataset if Starbucks does not pay. Reporting said the exposure could create supply-chain and operational technology risks because the alleged leak includes control logic and firmware for beverage equipment, while threat intelligence monitoring channels including **VECERT** flagged the claim; the incident also follows a separate Starbucks disclosure in March involving a phishing campaign that compromised **889 Partner Central employee accounts**.
Apr 2, 2026
Loblaw Customer Data Breach via Compromised IT Network Segment
**Loblaw Companies Limited** disclosed that attackers gained unauthorized access to a contained, non-critical portion of its IT network and exfiltrated basic customer information. The company said the exposed data includes **names, phone numbers, and email addresses**, while its investigation has so far found no evidence that **passwords, payment card data, health or pharmacy records, or PC Financial systems** were compromised. Loblaw said it detected suspicious activity, contained the affected environment, and launched an investigation into the intrusion. Reporting on the incident indicates the breach affected customer records stored in that segmented environment, creating follow-on risk of **phishing and social engineering** against impacted individuals. As a precaution, Loblaw logged customers out of their accounts, and external reporting noted no public threat actor claim tied to the intrusion at the time of publication. The available information indicates a limited but confirmed exposure of personally identifiable information rather than a compromise of Loblaw’s core operational, financial, or medical data systems.
Mar 21, 2026
Panera Bread Data Breach Linked to ShinyHunters Extortion Leak
**Panera Bread** suffered a data breach in which the **ShinyHunters** extortion group claimed to have stolen data for more than 14 million accounts, then leaked a ~**760MB** archive after Panera allegedly refused to pay. **Have I Been Pwned (HIBP)** reviewed the exposed dataset and reported it contains **~5.1 million unique email addresses**, indicating the real impact is substantially smaller than initial claims; the leaked data is described as account/contact information including **names, phone numbers, and physical addresses**. Panera has indicated the exposed data was **contact information** and said authorities were notified, while public notification to affected individuals was not yet reflected in the reporting. ShinyHunters told reporters the intrusion leveraged a **Microsoft Entra single sign-on (SSO) code**, and was tied to a broader **vishing** campaign targeting SSO accounts at major identity providers (including **Okta, Microsoft, and Google**) across **100+ organizations**. Other items in the set are unrelated: StopICE reported an attack involving abusive texts and alleged DDoS activity rather than the Panera incident, a Texas convenience-store operator (Gulshan Management Services) disclosed a separate ransomware-related data compromise affecting ~377,000 people, and a separate report described a widespread **cloud storage renewal/payment phishing** campaign.
Mar 21, 2026