Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



SQL Injection Vulnerability Exposed Starbucks Financial Records

A critical SQL injection vulnerability exposed nearly one million financial records stored in a Starbucks enterprise database, a researcher revealed this week.

A critical SQL injection vulnerability exposed nearly one million financial records stored in a Starbucks enterprise database, a researcher revealed this week.

Eugene Lim, aka spaceraccoon, earned $4,000 after reporting the flaw to Starbucks via the company’s bug bounty program on HackerOne. The security hole was identified on April 8 and it was patched within two days. The vulnerability report he submitted to HackerOne was made public on August 6.

It’s worth noting that $4,000 is the maximum amount of money Starbucks pays for critical vulnerabilities through its bug bounty program. The average bounty awarded by the coffee giant is $250 and the total amount paid out so far exceeds $400,000.

According to Lim, he started by checking the targeted endpoint for file upload vulnerabilities and then tested it for XXE flaws after noticing that it had been running the Microsoft Dynamics AX enterprise resource planning (ERP) platform.

After his attempts to launch XXE attacks failed, he decided to move on to other potential targets. Roughly a month later, he decided to revisit the endpoint and check for SQL injections, which he soon discovered.

“So I had an SQL injection – but what if the database was unused or negligible? I decided to test for three things: the type of data in the database, the amount of data, and the recency of data. However, I quickly met a roadblock: as an enterprise database, Microsoft Dynamics AX was massive: a quick check revealed that the database had thousands of tables. I had to find and focus on the main table, but where should I begin?” Lim wrote in his report to Starbucks.

He added, “Fortunately, Microsoft provides documentation online about Dynamics AX. After a bit of research, I found the default main table and the relevant columns. A few minutes later, the answers came in. There were almost a million entries up till the previous year that included real accounting information. Zaheck!! I immediately stopped testing and wrote my report.”

The researcher said the database stored accounting and other financial records, including tax, receipt and payroll data.

SQL injection vulnerability in Starbucks

Related: Google Increases Bug Bounty Program Rewards

Related: Two White Hats Earn Over $1 Million via Bug Bounty Programs

Related: Researcher Earns $10,000 for Another XSS Flaw in Yahoo Mail

Related: Instagram Account Takeover Vulnerability Earns Hacker $30,000

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet