Some Starbucks card holders and mobile app users recently received a disturbing wake-up call, and it wasn't a result of their caramel macchiatos. Instead, it derived from hackers who drained their Starbucks accounts without using an account number.

The Starbucks hack seems to be partly enabled by fraudsters accessing the coffee giant's auto-reload function and customers' weak Starbucks account passwords to steal hundreds of dollars in minutes.

One victim had $34.77 in card value wiped out, then another $25 and $75 stolen after the amounts were auto-loaded onto her card, according to consumer advocate blogger Bob Sullivan, who broke the scam story. Though the victim received an alert, she could not act on it because the theft took place prior to when Starbucks service department opened for business.

Starbucks allows consumers to move balances between gift cards and combine balances from multiple cards onto a single card. A criminal who controls a Starbucks card can move balances from a victim's card to a card they control. In another variant on the crime, hackers use a hijacked account to email gift cards to accounts they control.

According to Sullivan, consumers are complaining about similar app/gift card/credit card hacks all over the Internet, including on Facebook.

Although Starbucks says consumers won't be responsible for the charges in situations like these, Sullivan reports it's murky as to what protection consumers are entitled to, because credit card accounts aren't actually compromised and cards haven't been stolen. Prepaid card users don't enjoy the same level of consumer protection.

Sullivan wrote that while Starbucks was quick to give one victim a new gift card with $37.44 on it, the additional reload charges of $25 and $75 had gone through on an American Express card, and it was up to the victim to dispute those charges with Amex.

Starbucks isn't answering specific questions about the fraud, but it did issue unclear statements to ZDNet and Sullivan suggesting there is no “loophole” on Starbucks gift cards or breach of Starbucks information.

Read more: Experts offer advice for preventing such breaches …

“Like all major retailers, we have safeguards in place to constantly monitor for fraudulent activity and work closely with financial institutions to make sure our customers are protected,” the company said. “We also encourage our customers to use several best practices to ensure their information is as protected as possible such as using strong passwords, unique user names/passwords for online accounts and changing their passwords often.”

The Starbucks announcement comes on the heels of recent cyber break-ins at The Hard Rock Hotel & Casino and Sally Beauty Holdings.

The Denton, Texas-based Sally Beauty Sally Beauty Holdings Inc. confirmed an “illegal intrusion” into its payment card systems, marking the company's second data breach in just over a year.

The hotel announced previously that hackers accessed customer names, credit card numbers, expiration dates and CVV codes for credit and debit card transactions conducted between Sep. 3, 2014 and April 2, 2015 at restaurant, bar and retail locations on the Hard Rock Hotel's Las Vegas, Nev. property.

The event is also a reminder to consumers regarding password safety. Hackers often manage to steal and deal username and password combinations like they gather credit card account numbers. Because consumers often re-use identifications, hackers take them and try various combinations until the right log-in and password work.

Consumers also often pick passwords that are easy to remember and just as easy to decipher, such as their own name, children's or pets names, birthdays or simple number sequences such as “123456.” Or, they use names or phrases easily obtained from a social network or public profile.

Perhaps the worst part of the story is in the company response. A survey, Data Security in the Evolving Payments Ecosystem, from Dublin, Ireland based-Experian and Traverse City, Mich.-based Ponemon Institute revealed concerns about the ability of breached companies to properly manage a security response, and organizations continue to be deficient in governance and security practices that could strengthen their data breach preparedness.

Michael Bruemmer, vice president of Experian Data Breach Resolution, pointed out there is a lack of confidence in security. “Everyone should be prepared for a data breach,” he said.

“The fact that credit card data at a major corporation has once again been stolen highlights the threat that retailers and quick serve restaurants of every size are facing from data thieves,” Kevin Watson, CEO of the Houston-based Netsurion, which provides cloud-managed firewall solutions to protect the data of small and medium-sized businesses, said.

“Businesses interested in keeping their networks and data secure should start with simple security measures that can effectively mitigate the growing problem that hackers represent,” Watson explained.

The first steps, he said, are: Protecting incoming Internet traffic with a robust and adaptable firewall, implementing secure remote access, keeping anti-malware software up to date, updating POS devices with available security patches and limiting outbound Internet traffic.

“While nothing is fool-proof, these suggestions could have prevented most, if not all, of the retail breaches that have garnered so much attention in the past 18 months,” he added.