ShadowByt3s Claims Major Starbucks Breach, Steals 10GB of Proprietary Code and Firmware The threat group ShadowByt3s has claimed responsibility for a cyberattack on Starbucks, allegedly exfiltrating 10GB of proprietary source code and operational firmware from a misconfigured Amazon S3 bucket named sbux-assets. The breach, part of a broader campaign targeting cloud vulnerabilities, was announced by a threat actor under the alias BlackVortex1 on a dark web forum. The stolen data includes highly sensitive operational technology controlling Starbucks’ physical store machines, such as: - Beverage dispenser firmware for core systems like Siren System components and Blue Sparq motor boards. - Mastrena II espresso machine software, including touch-screen interface code and motor configurations. - FreshBlends assets, containing proprietary UI packages, ingredient ratios, and pricing logic for automated smoothie stations. Additionally, the breach reportedly compromises internal web-based management tools, including a centralized "New Web UI" for global machine oversight, an inventory management portal (b4-inv), and operational monitoring utilities for technician diagnostics. ShadowByt3s has set an extortion deadline of April 5, 2026, at 5:00 PM, threatening to publicly release the full dataset if Starbucks does not comply with their ransom demands. The incident follows a March 2026 phishing attack that exposed 889 employee accounts, though this latest breach focuses on corporate infrastructure rather than personal data. Cybersecurity monitoring platforms, including VECERT, have flagged the alleged leak as circulating on threat intelligence channels since April 1, 2026. The group claims to be actively scanning for and exploiting cloud misconfigurations to harvest sensitive corporate data.

Starbucks Discloses Data Breach Impacting Hundreds of Employees Starbucks recently confirmed a data breach affecting 889 employees after threat actors gained unauthorized access to their Starbucks Partner Central accounts, which store sensitive employment and personal information. The incident was discovered on February 6, 2026, following an investigation that revealed attackers had compromised accounts between January 19 and February 11. The breach exposed employees' names, Social Security numbers, dates of birth, and financial account details, including routing numbers. According to Starbucks, the attackers obtained login credentials through fraudulent websites impersonating Partner Central. The company took five days to revoke access after detecting the intrusion. In response, Starbucks notified law enforcement, enhanced security controls for Partner Central accounts, and offered affected employees two years of free identity theft protection and credit monitoring via Experian IdentityWorks. The company also advised impacted individuals to monitor their bank accounts for suspicious activity. This incident follows previous breaches, including a 2022 attack on Starbucks Singapore that exposed over 219,000 customers due to a third-party vendor compromise, and a 2024 ransomware attack on supply chain provider Blue Yonder, which disrupted Starbucks' operations.

Broadcom, a global technology leader valued at hundreds of billions, was among the high-profile victims of Cl0p’s ransomware attack exploiting a zero-day vulnerability in Oracle’s E-Business Suite (CVE-2025-61882 and CVE-2025-21884). The cybercriminal group exfiltrated sensitive corporate and customer data, threatening to leak or sell it unless a ransom was paid. The breach compromised critical systems, risking financial records, proprietary business data, and third-party customer information. Cl0p’s extortion tactics included warnings of public disclosure on their blog, torrent leaks, or sales to malicious actors, amplifying reputational and operational risks. Given Broadcom’s role in semiconductor and infrastructure technology, the attack posed supply chain cascading risks, potentially disrupting clients reliant on its products. Oracle issued emergency patches, but the damage—including data theft, potential regulatory fines, and erosion of stakeholder trust—had already occurred. The incident underscores vulnerabilities in enterprise software dependencies, with Broadcom facing long-term financial and strategic repercussions if the stolen data is weaponized.

Blue Yonder Ransomware Attack Disrupts Starbucks Operations, Highlighting 2024’s Escalating Cyber Threats On November 21, 2024, supply chain software provider Blue Yonder fell victim to a ransomware attack, causing significant disruptions for its customers including Starbucks. The incident impaired the coffee giant’s ability to manage employee schedules and process payroll across its 11,000 U.S. stores, forcing manual workarounds with pen-and-paper systems. As of November 25, Blue Yonder had not provided a timeline for full restoration and was collaborating with external cybersecurity firms to investigate the breach. The attack underscores a broader surge in ransomware activity in 2024, particularly targeting critical infrastructure and high-value supply chains. U.S. ports, for example, faced increased assaults, with the Port of Seattle suffering a major disruption in August. In response, the U.S. government expanded cybersecurity measures in February 2024, granting the Coast Guard broader authority to address maritime cyber incidents and mandating stronger defenses for port operators. Despite a 27.27% year-over-year decline in the number of ransomware payments, the financial impact has grown exponentially. Victims paid a record $459.8 million to cybercriminals in the first half of 2024, with the largest single payout reaching $75 million to the Dark Angels group. Median ransom payments also soared, jumping from under $200,000 in early 2023 to $1.5 million by mid-2024, while average demands rose to $2.73 million nearly $1 million higher than the previous year. Ransomware groups have become more aggressive, with 31 new gangs emerging in the past 12 months alone. Law enforcement crackdowns on groups like LockBit have led to replacements such as RansomHub, creating a persistent cycle of threats. Healthcare organizations have been particularly hard hit, with 264 attacks recorded in the first three quarters of 2024 67% of surveyed institutions reporting impacts. Recovery times have also worsened, with only 22% of victims restoring operations within a week, down from 47% in 2023. The trend reflects a strategic shift among cybercriminals, who now prioritize larger, more critical targets to maximize payouts, further straining organizations’ resilience against evolving threats.

The Singapore division of Starbucks suffered a data breach incident that affected 219,000 of its customers. Even a threat actor offered to sell a database containing sensitive details of 219,675 Starbucks customers on a popular hacking forum for $3,500. The information included the name, gender, date of birth, mobile number, email address, residential address and other personal information. Singapore urges customers to reset their passwords and remain vigilant against suspicious communications.