Some Starbucks card holders and mobile app users recentlyreceived a disturbing wake-up call, and it wasn't a result of theircaramel macchiatos. Instead, it derived from hackers who drainedtheir Starbucks accounts without using an account number.

The Starbucks hack seems to be partly enabled by fraudstersaccessing the coffee giant's auto-reload function and customers'weak Starbucks account passwords to steal hundreds of dollars inminutes.

One victim had $34.77 in card value wiped out, then another $25and $75 stolen after the amounts were auto-loaded onto her card,according to consumer advocate blogger Bob Sullivan, who broke thescam story. Though the victim received an alert, she could not acton it because the theft took place prior to when Starbucks servicedepartment opened for business.

Starbucks allows consumers to move balances between gift cardsand combine balances from multiple cards onto a single card. Acriminal who controls a Starbucks card can move balances from avictim's card to a card they control. In another variant on thecrime, hackers use a hijacked account to email gift cards toaccounts they control.

According to Sullivan, consumers are complaining about similarapp/gift card/credit card hacks all over the Internet, including onFacebook.

Although Starbucks says consumers won't be responsible for thecharges in situations like these, Sullivan reports it's murky as towhat protection consumers are entitled to, because credit cardaccounts aren't actually compromised and cards haven't been stolen.Prepaid card users don't enjoy the same level of consumerprotection.

Sullivan wrote that while Starbucks was quick to give one victima new gift card with $37.44 on it, the additional reload charges of$25 and $75 had gone through on an American Express card, and itwas up to the victim to dispute those charges with Amex.

Starbucks isn't answering specific questions about the fraud,but it did issue unclear statements to ZDNet and Sullivansuggesting there is no “loophole” on Starbucks gift cards or breachof Starbucks information.

Read more: Experts offer advice for preventing suchbreaches …

“Like all major retailers, we have safeguards in place toconstantly monitor for fraudulent activity and work closely withfinancial institutions to make sure our customers are protected,”the company said. “We also encourage our customers to use severalbest practices to ensure their information is as protected aspossible such as using strong passwords, unique usernames/passwords for online accounts and changing their passwordsoften.”

The Starbucks announcement comes on the heels of recent cyberbreak-ins at The Hard Rock Hotel & Casino and Sally Beauty Holdings.

The Denton, Texas-based Sally Beauty Sally Beauty Holdings Inc.confirmed an “illegal intrusion” into its payment card systems,marking the company's second data breach in just over a year.

The hotel announced previously that hackers accessed customernames, credit card numbers, expiration dates and CVV codes forcredit and debit card transactions conducted between Sep. 3, 2014and April 2, 2015 at restaurant, bar and retail locations on theHard Rock Hotel's Las Vegas, Nev. property.

The event is also a reminder to consumers regarding passwordsafety. Hackers often manage to steal and deal username andpassword combinations like they gather credit card account numbers.Because consumers often re-use identifications, hackers take themand try various combinations until the right log-in and passwordwork.

Consumers also often pick passwords that are easy to rememberand just as easy to decipher, such as their own name, children's orpets names, birthdays or simple number sequences such as “123456.”Or, they use names or phrases easily obtained from a social networkor public profile.

Perhaps the worst part of the story is in the company response.A survey, Data Security in the Evolving Payments Ecosystem, from Dublin,Ireland based-Experian and Traverse City, Mich.-based PonemonInstitute revealed concerns about the ability of breached companiesto properly manage a security response, and organizations continueto be deficient in governance and security practices that couldstrengthen their data breach preparedness.

Michael Bruemmer, vice president of Experian Data BreachResolution, pointed out there is a lack of confidence in security.“Everyone should be prepared for a data breach,” he said.

“The fact that credit card data at a major corporation has onceagain been stolen highlights the threat that retailers and quickserve restaurants of every size are facing from data thieves,”Kevin Watson, CEO of the Houston-based Netsurion, which providescloud-managed firewall solutions to protect the data of small andmedium-sized businesses, said.

“Businesses interested in keeping their networks and data secureshould start with simple security measures that can effectivelymitigate the growing problem that hackers represent,” Watsonexplained.

The first steps, he said, are: Protecting incoming Internettraffic with a robust and adaptable firewall, implementing secureremote access, keeping anti-malware software up to date, updatingPOS devices with available security patches and limiting outboundInternet traffic.

“While nothing is fool-proof, these suggestions could haveprevented most, if not all, of the retail breaches that havegarnered so much attention in the past 18 months,” he added.