Starbucks was one of the earliest retailers to aggressively promote payments via mobile phone, and their efforts have been wildly successful. A whopping 29% of Starbucks purchases are now made via the mobile app or online. That helps the retailer streamline the checkout process, track customer behavior, and provide coupons and other freebies.
But there’s an apparent downside for customers. Reports of scammers taking over Starbucks accounts with relative ease have circulated since at least 2015, and more are cropping up on social media daily, according to recent reports.
While there’s no indication Starbucks’ own servers have been compromised recently, lots of users recycle usernames and passwords from other services. The Starbucks app doesn’t use two-factor authentication—say, requiring a confirmation code sent by SMS—so a hacker who unearths a working username and password can simply pretend to be the user on another phone, in what’s known as an account takeover.
Get Data Sheet, Fortune’s technology newsletter.
That lets the hackers load funds into the Starbucks app from the victim’s credit card or bank account, and then the hackers spend that money. BuzzFeed’s Vanessa Wong (who, herself, was hacked to the tune of $100) pointed out in a recent story, noting a criminal can easily buy gift cards with a compromised account, and then sell those gift cards.
Starbucks told BuzzFeed that the level of fraud on the app is very low, describing it as “a tiny fraction of 1%.” They were similarly defensive in a statement to Good Housekeeping, pointing customers to a page outlining online security best practices—most importantly to “use different user names and passwords for different sites.”
That’s solid advice, but even a “tiny fraction of 1%” of customers getting hacked is still enough to generate a steady stream of customer angst.
Fortune contacted Starbucks for further comment, and will update this post upon response.